带有jwt的Spring Security oauth2，撤销刷新令牌 [英] Spring Security oauth2 with jwt, revocation of refresh token

问题描述

我目前已经在Spring Boot上运行了带有oauth2的spring安全性实现.它正在按预期方式工作，并且我已将访问令牌的有效期设置为10分钟，并将刷新令牌的有效期设置为30天.

I currently have an implementation of spring security with oauth2 running on spring boot. It is working as expected, and I have set the validity of access tokens to 10 minutes and refresh tokens to 30 days.

但是，如果用户丢失了设备并希望该客户端注销，我希望能够使刷新令牌无效.

However, I would like to be able to invalidate the refresh token if a user has lost a device and wants that client to be logged out.

我的令牌存储如下:

@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
    final JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
    jwtAcccessTokenConverter.setSigningKey(this.secret);
    return jwtAcccessTokenConverter;
}

@Bean
public TokenStore tokenStore(){
    return new JwtTokenStore(jwtAccessTokenConverter());
}

在查看了JwtTokenStore类之后，storeRefreshToken和storeAccessToken方法按预期为空，因为令牌已签名，因此不必存储.

After looking on the JwtTokenStore class the storeRefreshToken and storeAccessToken methods are blank as expected since the tokens are signed they don't have to be stored.

我的计划是将生成的刷新令牌存储在数据库中，然后将其包含为刷新令牌有效的要求.

My plan was to store the generated refresh tokens in a database and then include this as a requirement for the refresh token to be valid.

我一直在研究JwtTokenStore类，看起来它可以具有可选的ApprovalStore.这是解决这个问题的正确方向吗?

I've been looking at the JwtTokenStore class and it looks like it can have an optional ApprovalStore. Is this the right direction to go to solve this problem?

推荐答案

我认为问题与描述的问题非常相似

I think the problem is very similar to the one described here. So you might want to look at the accepted answer.

除此以外，我还想分享另外两个想法:

Apart from this, I have two additional ideas I would like to share:

删除客户端

这实际上取决于您使用客户端ID的方式.但是，您当然可以删除客户端-这会使刷新过程失败.

It really depends on how you use client ids. But you could, of course, delete a client - this would make the refresh process fail.

停用用户

从文档中:

如果您注入UserDetailsS​​ervice或全局配置无论如何(例如在GlobalAuthenticationManagerConfigurer中)刷新令牌授予将包含对用户详细信息的检查，以确保该帐户仍然有效

if you inject a UserDetailsService or if one is configured globally anyway (e.g. in a GlobalAuthenticationManagerConfigurer) then a refresh token grant will contain a check on the user details, to ensure that the account is still active

因此，如果您使用的是 UserDetailsS​​ervice ，并且令牌与用户相关联，则可以停用该用户，以使刷新过程失败.

So if you are using a UserDetailsService and your token is associated with a user you could deactivate the user to make the refresh process fail.

这篇关于带有jwt的Spring Security oauth2，撤销刷新令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！