4

I currently have an implementation of spring security with oauth2 running on spring boot. It is working as expected, and I have set the validity of access tokens to 10 minutes and refresh tokens to 30 days.

However, I would like to be able to invalidate the refresh token if a user has lost a device and wants that client to be logged out.

My token store looks as following:

@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
    final JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
    jwtAcccessTokenConverter.setSigningKey(this.secret);
    return jwtAcccessTokenConverter;
}

@Bean
public TokenStore tokenStore(){
    return new JwtTokenStore(jwtAccessTokenConverter());
}

After looking on the JwtTokenStore class the storeRefreshToken and storeAccessToken methods are blank as expected since the tokens are signed they don't have to be stored.

My plan was to store the generated refresh tokens in a database and then include this as a requirement for the refresh token to be valid.

I've been looking at the JwtTokenStore class and it looks like it can have an optional ApprovalStore. Is this the right direction to go to solve this problem?

Mathias Dpunkt
  • 11,594
  • 4
  • 45
  • 70
Mellet
  • 1,196
  • 1
  • 10
  • 14
  • Possible duplicate of [Revoke JWT Oauth2 Refresh Token](https://stackoverflow.com/questions/32617645/revoke-jwt-oauth2-refresh-token) – Mathias Dpunkt Jun 08 '17 at 11:44

1 Answers1

1

I think the problem is very similar to the one described here. So you might want to look at the accepted answer.

Apart from this, I have two additional ideas I would like to share:

Delete the client

It really depends on how you use client ids. But you could, of course, delete a client - this would make the refresh process fail.

Deactivate the user

From the documentation:

if you inject a UserDetailsService or if one is configured globally anyway (e.g. in a GlobalAuthenticationManagerConfigurer) then a refresh token grant will contain a check on the user details, to ensure that the account is still active

So if you are using a UserDetailsService and your token is associated with a user you could deactivate the user to make the refresh process fail.

Mathias Dpunkt
  • 11,594
  • 4
  • 45
  • 70
  • In my case my clients are not unique, so that won't work. I would need to register unique clients per device a user sign in on then. Deactivating a user would not work either. Lets say your phone is stolen and has a 20 day refresh token stored on it, now you want to deactivate that token so the stolen phone can't access your account. Deactivating the user would do the trick, but now you can't sign in yourself on a new device.. And if you reactive the account within the 20 days the token that is stored on the stolen phone is still valid. – Mellet Jun 08 '17 at 15:32
  • @Mellet it was just an idea I found worth mentioning. Did you find another solution? – Mathias Dpunkt Jun 08 '17 at 20:52
  • 20 day refresh token seems to be a lot of time. It would be less than a week or just hours. – Wilder Valera Nov 21 '17 at 18:50