0

I'm facing an issue with spring security oauth 2, at first connexion I'm getting my token and refresh token, everything is ok.

but it's seems the token is never checked, when it expire no refresh request is made, nothing happen and i'm still authenticated.

I debugged the issue and i noticed that my OAuth2ClientAuthenticationProcessingFilter is never called after first authentication.

here is how i define this filter :

@Bean
    public OAuth2ClientAuthenticationProcessingFilter oAuth2ClientAuthenticationProcessingFilter(){
        OAuth2ClientAuthenticationProcessingFilter filter =  new OAuth2ClientAuthenticationProcessingFilter("/myApp/**|/api/**");
        filter.setRestTemplate(oAuth2RestTemplate);
        filter.setTokenServices(tokenService);
        return filter;
    }

any help would be welcome, it's acouple of hours i'm struggling on this one

Seb
  • 3,602
  • 8
  • 36
  • 52

1 Answers1

0

Once a user has been authenticated to your application (i.e. the authentication is set to SecurityContext), it will remain authenticated until the http session is expired. It doesn't matter whether it has been authenticated by OAuth2ClientAuthenticationProcessingFilter or BasicAuthenticationFilter or any other authentication filter.

For example:- If you have set session expiration to 30 min. And if a user logs in to your application from a browser and is authenticated to your application via OAuth 2 authentication. Now the next requests from the browser will have JSESSIONID set in the cookie and the server will identify from the security context that the session is already authenticated and not ask for further authentication. Now if the user goes to the Auth providing server and revokes the token before the session is expired on your application server, it won't affect authentication on you application. And the user will remain logged in to your application until the session is expired (due to 30 min inactivity or by clearing the security context or possibly any other means like clearing cookies etc.).

vsoni
  • 2,828
  • 9
  • 13
  • that shouldn't be linked to my session, my token is a 10minutes token I don't want it to last longer. – Seb Nov 16 '17 at 15:54
  • from my point of view the session is just where the token is stored it shouldn't have anything to do with token life – Seb Nov 16 '17 at 15:55
  • True session has nothing to do with token life. If you can let me know your use case, I'll be in a better position to look into it. – vsoni Nov 16 '17 at 16:31
  • no worries, it's a very classic use case, I have a remote oauth server delivering access token and refresh token (10 minutes and 1 hour each) once my token is expired, I want it to be refreshed At the moment my filter OAuth2ClientAuthenticationProcessingFilter is not called in case the token is expired – Seb Nov 16 '17 at 16:36
  • Then, you should probably try with session creation policy as "never" or "stateless". to ensure that every request is re-authenticated. (ref-http://www.baeldung.com/spring-security-session). Because your server does not have any way to know when your token is going to expire or whether it has been revoked or not. – vsoni Nov 16 '17 at 17:02
  • My client knows when the token expire because I get the expiracy time when I first get the token – Seb Nov 16 '17 at 17:04
  • Another way could be add a new filter with highest priority (to your existing configuration) which would check if the token is expired, if expired then invalidate the session. – vsoni Nov 17 '17 at 06:28