0

At user logout, I would like to revoke refresh token too. Problem is that I cannot find it in LogoutHandler. I only have access token. Also Authentication object is null.

Configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .....
        .and()
            .csrf().disable()
            .logout()
                .logoutUrl("/logout").permitAll()
                .addLogoutHandler(customLogoutHandler)
                .deleteCookies("rememberMe")
                .logoutSuccessUrl(loginPage)
        .....
        ;
}
Michal Foksa
  • 11,225
  • 9
  • 50
  • 68

1 Answers1

0

You may try to do global search for @Component("customLogoutHandler"), @Service("customLogoutHandler"), "customLogoutHandler" etc.. in your project.

I have similar setup with logout success handler in Configuration file that looks like this:

@Autowired
private LogoutSuccessHandler myLogoutSuccessHandler;

Then the custom handler, mind you revoking the refresh token will depend on what type of TokenStore you are using, JDBC, InMemory etc:

@Component("myLogoutSuccessHandler")
public class MyLogoutSuccessHandler implements LogoutSuccessHandler {

    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        //logic to revoke tokens
    }

}
z.eljayyo
  • 1,289
  • 1
  • 10
  • 16
  • :( Can you PLS elaborate more "logic to revoke tokens" with means of `LogoutSuccessHandler`? – Michal Foksa Sep 01 '17 at 20:38
  • What are you using for TokenStore? – z.eljayyo Sep 02 '17 at 21:10
  • I am using `JdbcTokenStore`. – Michal Foksa Sep 03 '17 at 06:14
  • Not sure about your configuration for Authorisation server, you will need to add DefaultTokenServices bean and then invoke the revokeToken() method from the logout success hander, this might help: https://stackoverflow.com/questions/21992201/how-to-revoke-auth-token-in-spring-security – z.eljayyo Sep 04 '17 at 08:51
  • The `DefaultTokenServices.revokeToken()` pointed me right direction. Missing key to the question was `OAuth2AccessToken.getRefreshToken()` method. With that I can find and revoke refresh token. – Michal Foksa Sep 04 '17 at 09:48