Persisting the refresh token of the Spring OAuth2RestTemplate

Question

I have a mobile application that uses my Spring Boot backend for things like authentication and accessing data. A part of the Spring Boot application accesses data from a resource server using OAuth2. I stumbled across an oauth2 client library for Spring that does its magic and everything just works out of the box.

As I'm trying to figure out how this library does its work, I can't seem to find an answer to the way it handles refresh tokens. I'm aware that the oauth2client is bound to a session for each user but what happens when the session ends? Wouldn't the access and refresh tokens get lost?

I was looking for ways to persist the refresh token for each user in my database but I didn't find any support for that in the library. This leaves me wondering if I have to implement this myself or if there's even a need to do so.

Any advice is appreciated!

Answer 1

Basically OAuth2 architecture is used for 3rd-party authentication and authorization. In this mechanism the credentials remains secured and aren't passed on while everything works upon tokens! But you can use it to work implicitly for your own authentication too.

---

In your case first when you hit "/oauth/token"(default endpoint) along with the client-secret and client-Id and rest of the user credentials the algo checks for the user details in the DB and matches the secret and Id present in the header of the request. If everything goes fine it'll generate a bearer type - access and refresh token and will store these tokens in different collections in the database.This particular user is mapped to these tokens and can access /api's using them only.No user creds are required. You can use MongoTokenStore if you're using MongoDb for storing and accessing stored tokens.

Next you have to configure WebSecurity/AuthorizationServer/ResourceServer for checking endpoints and header tokens tokens, authentication and authorizaton of users and providing valid tokens access to the resource respectively.

Lastly when you have a valid access token and hit an api with a correct header request the server grants you permission to access the resource!

This is the basic functionality of the OAuth2.0.

Normally Access Tokens have a shorter lifetime while refresh tokens have comparitively larger lifetime. Once Access Token gets expired a new Access Token can be generated using the Refresh Tokens. If the Refresh Tokens gets expired then you have to hit the "/oauth/token" api again,complete the flow cycle and generate tokens again.After expiry when you hit an api with existing access token they are removed from the collection. This is the default architecture of this mechanism, rest you can make custom classes and modify its functionality according to your needs! This architecture is quite secure and is a good practise.

Screenshot Flow Diagram

Check this post from digitalocean.

Edits ----

1. Personally I used MongoDB where I made two collections - AuthAccessTokens and AuthRefreshTokens namely where these two were stored. Access Token object has an Id of associated RefreshToken which helps to map these two together. Rest custom additional Info. can also be added using TokenEnhancer. Therefore tokens will always be present in the DB unless expired. And in layman's terms if you are just focussing on Backend stuff you can always check for your access tokens by hitting "/oauth/token" with correct user creds and it will return the assigned token by fetching it from the DB, else if you're developing full stack after generating the tokens on first step just store them on client end either in browser's local storage or app. And if you want to deliberately end the session like for example in Logout just remove these tokens from their respective collections.