撤销 JWT Oauth2 刷新令牌
Revoke JWT Oauth2 Refresh Token
我正在尝试找到一种方法来撤销 Oauth2 JWT 刷新令牌,其中包含 vanilla Spring 实现和 JwtTokenStore。
首先:有人可以确认没有类似于 /oauth/token 的 API 允许我撤销刷新令牌吗?
我想添加一个自定义 API 来删除刷新令牌,如下所示:
OAuth2RefreshToken oauth2RefreshToken=tokenStore.readRefreshToken(refreshToken);
tokenStore.removeRefreshToken(oauth2RefreshToken);
现在,查看 JwtTokenStore,我注意到它使用了 ApprovalStore。所以我继续为我的 JwtTokenStore 提供了一个 InMemoryApprovalStore。我的 JwtTokenStore 实例化如下所示:
@Bean
protected JwtAccessTokenConverter jwtTokenEnhancer() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123456");
return converter;
}
@Bean
public JwtTokenStore getTokenStore(){
tokenStore= new JwtTokenStore(jwtTokenEnhancer());
tokenStore.setApprovalStore(new InMemoryApprovalStore());
tokenStore.setTokenEnhancer(jwtTokenEnhancer());
return tokenStore;
};
结果:没有 InMemoryApprovalStore,我可以毫无问题地验证用户和刷新令牌。但是,一旦我将 InMemoryApprovalStore 添加到令牌存储区,我就开始收到以下错误消息:
{"error":"invalid_grant","error_description":"Invalid refresh token: eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDUwMjQ2MTcsInVzZXJfbmFtZSI6IjYzZjIyYjZlLWU5MGUtNDFjYS1iYzJlLTBmZTgzNmY3MTQ2NyIsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiMjgwMDgwNWQtMjk1Zi00ZDQzLWI2NTYtMDNlZWYwMWFkMjg0IiwiY2xpZW50X2lkIjoid2ViLWNsaWVudCIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsInRydXN0Il19.BPC0HqLYjWGM0IFjvsUGGKQ9dyIXSXwMhraCVFIxD0U"}
我的第二个问题是撤销刷新令牌的正确方法是什么?
编辑:我发现 following thread 表明 ApprovalStore 确实是撤销 JWT 令牌的方式。我现在只需要了解如何正确使用它们。
First: can somebody confirm that there is no API similar to /oauth/token that allows me to revoke a refresh token?
您不需要定义 JwtTokenStore bean,spring 将使用 AuthorizationServerEndpointsConfigurer
为您创建它
private TokenStore tokenStore() {
if (tokenStore == null) {
if (accessTokenConverter() instanceof JwtAccessTokenConverter) {
this.tokenStore = new JwtTokenStore((JwtAccessTokenConverter) accessTokenConverter());
}
else {
this.tokenStore = new InMemoryTokenStore();
}
}
return this.tokenStore;
}
private ApprovalStore approvalStore() {
if (approvalStore == null && tokenStore() != null && !isApprovalStoreDisabled()) {
TokenApprovalStore tokenApprovalStore = new TokenApprovalStore();
tokenApprovalStore.setTokenStore(tokenStore());
this.approvalStore = tokenApprovalStore;
}
return this.approvalStore;
}
My second question is thus what is the proper way to revoke a refresh token?
撤销对令牌的批准,这已被JwtTokenStore
使用
private void remove(String token) {
if (approvalStore != null) {
OAuth2Authentication auth = readAuthentication(token);
String clientId = auth.getOAuth2Request().getClientId();
Authentication user = auth.getUserAuthentication();
if (user != null) {
Collection<Approval> approvals = new ArrayList<Approval>();
for (String scope : auth.getOAuth2Request().getScope()) {
approvals.add(new Approval(user.getName(), clientId, scope, new Date(), ApprovalStatus.APPROVED));
}
approvalStore.revokeApprovals(approvals);
}
}
}
我正在尝试找到一种方法来撤销 Oauth2 JWT 刷新令牌,其中包含 vanilla Spring 实现和 JwtTokenStore。
首先:有人可以确认没有类似于 /oauth/token 的 API 允许我撤销刷新令牌吗?
我想添加一个自定义 API 来删除刷新令牌,如下所示:
OAuth2RefreshToken oauth2RefreshToken=tokenStore.readRefreshToken(refreshToken);
tokenStore.removeRefreshToken(oauth2RefreshToken);
现在,查看 JwtTokenStore,我注意到它使用了 ApprovalStore。所以我继续为我的 JwtTokenStore 提供了一个 InMemoryApprovalStore。我的 JwtTokenStore 实例化如下所示:
@Bean
protected JwtAccessTokenConverter jwtTokenEnhancer() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123456");
return converter;
}
@Bean
public JwtTokenStore getTokenStore(){
tokenStore= new JwtTokenStore(jwtTokenEnhancer());
tokenStore.setApprovalStore(new InMemoryApprovalStore());
tokenStore.setTokenEnhancer(jwtTokenEnhancer());
return tokenStore;
};
结果:没有 InMemoryApprovalStore,我可以毫无问题地验证用户和刷新令牌。但是,一旦我将 InMemoryApprovalStore 添加到令牌存储区,我就开始收到以下错误消息:
{"error":"invalid_grant","error_description":"Invalid refresh token: eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDUwMjQ2MTcsInVzZXJfbmFtZSI6IjYzZjIyYjZlLWU5MGUtNDFjYS1iYzJlLTBmZTgzNmY3MTQ2NyIsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiMjgwMDgwNWQtMjk1Zi00ZDQzLWI2NTYtMDNlZWYwMWFkMjg0IiwiY2xpZW50X2lkIjoid2ViLWNsaWVudCIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsInRydXN0Il19.BPC0HqLYjWGM0IFjvsUGGKQ9dyIXSXwMhraCVFIxD0U"}
我的第二个问题是撤销刷新令牌的正确方法是什么?
编辑:我发现 following thread 表明 ApprovalStore 确实是撤销 JWT 令牌的方式。我现在只需要了解如何正确使用它们。
First: can somebody confirm that there is no API similar to /oauth/token that allows me to revoke a refresh token?
您不需要定义 JwtTokenStore bean,spring 将使用 AuthorizationServerEndpointsConfigurer
private TokenStore tokenStore() {
if (tokenStore == null) {
if (accessTokenConverter() instanceof JwtAccessTokenConverter) {
this.tokenStore = new JwtTokenStore((JwtAccessTokenConverter) accessTokenConverter());
}
else {
this.tokenStore = new InMemoryTokenStore();
}
}
return this.tokenStore;
}
private ApprovalStore approvalStore() {
if (approvalStore == null && tokenStore() != null && !isApprovalStoreDisabled()) {
TokenApprovalStore tokenApprovalStore = new TokenApprovalStore();
tokenApprovalStore.setTokenStore(tokenStore());
this.approvalStore = tokenApprovalStore;
}
return this.approvalStore;
}
My second question is thus what is the proper way to revoke a refresh token?
撤销对令牌的批准,这已被JwtTokenStore
使用private void remove(String token) {
if (approvalStore != null) {
OAuth2Authentication auth = readAuthentication(token);
String clientId = auth.getOAuth2Request().getClientId();
Authentication user = auth.getUserAuthentication();
if (user != null) {
Collection<Approval> approvals = new ArrayList<Approval>();
for (String scope : auth.getOAuth2Request().getScope()) {
approvals.add(new Approval(user.getName(), clientId, scope, new Date(), ApprovalStatus.APPROVED));
}
approvalStore.revokeApprovals(approvals);
}
}
}