7

We are securing out REST services using spring security OAuth2. Applications can call into either the /oauth/authorize, /oauth/token or /rest-api endpoints. The token and rest-api endpoints are stateless and do not need a session.

Can we invalidate the session after the user is authenticated? If so, what is the best approach. We want the user to sign-in always whenever a call to /oauth/authorize is made. Currently, calls to /oauth/authorize are skipping authentication whenever a session exists.

Shashank Agrawal
  • 25,161
  • 11
  • 89
  • 121
mpusarla
  • 487
  • 4
  • 14
  • 1
    Is hitting /logout not working for you ? – de_xtr Oct 08 '15 at 04:10
  • 2
    we don't want to invoke an endpoint. After the user is authenticated and token generated, we don't want the session to exist anymore and want to handle it as part of the authentication flow. – mpusarla Oct 09 '15 at 01:41
  • Have you managed to figure this out? – Marius Oct 29 '15 at 09:42
  • We decided not to do invalidate the session. If the session already exists, user will not get prompted for credentials. – mpusarla Nov 02 '15 at 15:13

4 Answers4

4

Understanding that the question is a bit old, I hope that the following could be helpful for those who search for the correct answer for the question

OP asked not about tokens invalidation, but how to invalidate httpSession on Spring OAuth2 server right after user authentication successfully passed and a valid access_token or authorization_code (for subsequent getting of access_token) returned to a client.

There is no out-of-the-box solution for this use-case still. But working workaround from the most active contributor of spring-security-oauth, Dave Syer, could be found here on GitHub

Just copy of the code from there:

@Service
@Aspect
public class SessionInvalidationOauth2GrantAspect {

    private static final String FORWARD_OAUTH_CONFIRM_ACCESS = "forward:/oauth/confirm_access";
    private static final Logger logger = Logger.getLogger(SessionInvalidationOauth2GrantAspect.class);

    @AfterReturning(value = "within(org.springframework.security.oauth2.provider.endpoint..*) && @annotation(org.springframework.web.bind.annotation.RequestMapping)", returning = "result")
    public void authorizationAdvice(JoinPoint joinpoint, ModelAndView result) throws Throwable {

        // If we're not going to the confirm_access page, it means approval has been skipped due to existing access
        // token or something else and they'll be being sent back to app. Time to end session.
        if (!FORWARD_OAUTH_CONFIRM_ACCESS.equals(result.getViewName())) {
            invalidateSession();
        }
    }

    @AfterReturning(value = "within(org.springframework.security.oauth2.provider.endpoint..*) && @annotation(org.springframework.web.bind.annotation.RequestMapping)", returning = "result")
    public void authorizationAdvice(JoinPoint joinpoint, View result) throws Throwable {
        // Anything returning a view and not a ModelView is going to be redirecting outside of the app (I think). 
        // This happens after the authorize approve / deny page with the POST to /oauth/authorize. This is the time
        // to kill the session since they'll be being sent back to the requesting app.
        invalidateSession();
    }

    @AfterThrowing(value = "within(org.springframework.security.oauth2.provider.endpoint..*) &&  @annotation(org.springframework.web.bind.annotation.RequestMapping)", throwing = "error")
    public void authorizationErrorAdvice(JoinPoint joinpoint) throws Throwable {
        invalidateSession();
    }

    private void invalidateSession() {
        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes())
                .getRequest();
        HttpSession session = request.getSession(false);
        if (session != null) {
            logger.warn(String.format("As part of OAuth application grant processing, invalidating session for request %s", request.getRequestURI()));

            session.invalidate();
            SecurityContextHolder.clearContext();
        }
    }

}

add pom.xml

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-aspects</artifactId>
</dependency>

Another solution could be to set session time out to some very small value. The simplest way to achieve that is put the following to application.yml config:

server:
  session:
    timeout: 1

But it's not ideal solution as the minimum value could be provider is 1 (zero is reserved for infinite sessions) and it is in minutes not in seconds

AlexK
  • 118
  • 8
  • It was helpful for someone. Tks for sharing! – Reginaldo Santos Apr 25 '18 at 20:23
  • 2
    By the way, I've change the @Aspect approach for one HandlerInterceptor verifying also the redirection Url, because the aspect was always invalidating the session, even when user mistype his/her credentials. After that, no redirection was possible. – Reginaldo Santos Apr 26 '18 at 20:16
  • 2
    @ReginaldoSantos, thanks for the feedback! We also switched to HandlerInterceptor recently :-) – AlexK Apr 27 '18 at 09:48
2

From what I understand, you are trying to programmatically logout after you have undertaken certain set of actions. Probably you should look into the SecurityContextLogoutHandler and see how it works. There is a method for logout there. I think calling it as an advice will solve your problem.

public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
      Assert.notNull(request, "HttpServletRequest required");
      if (invalidateHttpSession) {
          HttpSession session = request.getSession(false);
          if (session != null) {
              session.invalidate();
          }
      }

      SecurityContextHolder.clearContext();
  }
de_xtr
  • 882
  • 2
  • 10
  • 21
2

First: in your configuration declare bean with token store for oauth

@Bean
@Primary
public TokenStore tokenStore() {
    return new InMemoryTokenStore();
}

For controller approach we made the following class

@Controller
 public class TokenController {

    @RequestMapping(value = "/oauth/token/revoke", method = RequestMethod.POST)
    public @ResponseBody void create(@RequestParam("token") String value) {
        this.revokeToken(value);
    }

    @Autowired
    TokenStore tokenStore;

    public boolean revokeToken(String tokenValue) {
        OAuth2AccessToken accessToken = tokenStore.readAccessToken(tokenValue);
        if (accessToken == null) {
            return false;
        }
        if (accessToken.getRefreshToken() != null) {
            tokenStore.removeRefreshToken(accessToken.getRefreshToken());
        }
        tokenStore.removeAccessToken(accessToken);
        return true;
    }
}

If you don't wan't to use this approach you can grab current user's token autowiring Principal:

    OAuth2Authentication authorization = (OAuth2Authentication) principal;
    OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authorization.getDetails();
    String token = details.getTokenValue();

Or even autowiring OAuth2Authentication:

    OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authentication.getDetails();
    String token = details.getTokenValue();
Trynkiewicz Mariusz
  • 2,722
  • 3
  • 21
  • 27
  • 2
    I don't see this as a valid answer as long as it doesn't invalidate the session. Moreover, removing token from tokenStore does not applies to all kind of tokenStores: e.g. JwtTokenStore. – Reginaldo Santos Apr 25 '18 at 20:04
1

I can offer such an option (according to @de_xtr recomendation):

import static org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes;

@Slf4j
@Component
@Aspect
public class InvalidateSessionAspect {

    private final LogoutHandler logoutHandler;

    public InvalidateSessionAspect() {
        logoutHandler = new SecurityContextLogoutHandler();
    }

    @Pointcut("execution(* org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken(..))")
    public void postAccessTokenPointcut() {
    }

    @AfterReturning(value = "postAccessTokenPointcut()", returning = "entity")
    public void invalidateSession(JoinPoint jp, Object entity) {
        log.debug("[d] Trying to invalidate the session...");
        ServletRequestAttributes requestAttributes = (ServletRequestAttributes) currentRequestAttributes();
        HttpServletRequest request = requestAttributes.getRequest();
        logoutHandler.logout(request, null, null);
        log.debug("[d] Session has been invalidated");
    }
}

And the option without any aspects:

@Slf4j
class LogoutHandlerInterceptor implements HandlerInterceptor {
    @Override
    public void postHandle(HttpServletRequest req, HttpServletResponse resp, Object h, ModelAndView view) {
        HttpSession session = req.getSession(false);
        if (session != null) {
            log.debug("[d] Trying to invalidate the session...");
            session.invalidate();
            SecurityContext context = SecurityContextHolder.getContext();
            context.setAuthentication(null);
            SecurityContextHolder.clearContext();
            log.debug("[d] Session has been invalidated");
        }
    }
}

@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {

    //...

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.addInterceptor(new LogoutHandlerInterceptor())
                // ... 
                ;
    }
}
Cepr0
  • 28,144
  • 8
  • 75
  • 101