1

Let's say we have an admin that wants to invalidate all user tokens (effectively logging the user out everywhere), but without blocking his account. The user should still be able to log in normally.

Example:

clientIds.forEach(clientId -> {
        Collection<OAuth2AccessToken> accessTokens = tokenStore.findTokensByClientIdAndUserName(clientId, username);
        accessTokens.forEach(accessToken -> tokenServices.revokeToken(accessToken.getValue()));
});

This works fine ONLY IF access tokens are still valid (not expired), because access tokens are found and based on them, revokeToken invalidates both access and refresh tokens. However, if access token is expired, findTokensByClientIdAndUserName does not find anything, thus nothing is invalidated and refresh token is still valid and ready to be used.

I've looked everywhere, and it looks like everyone revokes refresh tokens either by using access token or by passing refresh token value as request parameter.

Is it possible to find refresh token without using access token?

Sikor
  • 11,628
  • 5
  • 28
  • 43

1 Answers1

1

You can implement yourself the TokenStore interface and add a method such as:

OAuth2RefreshToken findRefreshTokenByUserName(String userName);
Ortomala Lokni
  • 56,620
  • 24
  • 188
  • 240
  • I've considered this, but after looking into schema of `oauth_refresh_token` table, there's no `username` field in there. It's only present in `oauth_access_token` table. Creating completely new `TokenStore` seems like an overkill, so instead I'm going to extend the `JdbcTokenStore`, add `findRefreshTokenByUserName` as you proposed and also override `storeRefreshToken` method to also include the username. Thanks for the suggestion :) – Sikor May 06 '19 at 09:04
  • I've looked a bit more into it, and `oauth_refresh_token` has `authentication` field, so technically it is possible to retrieve `username` from there, but that would require me to select literally all the tokens, deserialize their `authentication` field and filter by username. That's a big no, so I will stick to extending the table by an additional column. – Sikor May 06 '19 at 09:17