3

We are using Spring Security OAuth2 service. We maintain a blacklist of refresh tokens in memory. Whenever the Authorization server gets a request with the refresh token (to renew the user token), we want to validate against this blacklist.

What is the Spring call back method where I can make this check? We have looked at JDBCApprovalStore, but are looking for a more simpler solution only for invalidation of refresh tokens.

Narendra Naidu
  • 403
  • 2
  • 5
  • 17
  • Have you tried removing the refresh token from `TokenStore`? – Prav Nov 14 '17 at 18:25
  • That way you probably wouldn't need a blacklist. Another option is to [override the default refresh token endpoint](https://stackoverflow.com/questions/22222966/how-to-change-spring-security-oauth2-default-token-endpoint#answer-27860080) in `AuthorizationServerEndpointsConfigurer` and provide your own one. – Prav Nov 14 '17 at 18:30
  • I am using JWT. Hence there is no token store actually. – Narendra Naidu Nov 15 '17 at 05:15
  • 1
    Hi, did you find a solution to your problem? – Deniss M. Apr 10 '18 at 12:28

0 Answers0