我正在尝试找到一种方法来撤销 Oauth2 JWT 刷新令牌,使用 vanilla Spring 实现和 JwtTokenStore.
第一:有人可以确认没有类似于/oauth/token 的 API 允许我撤销刷新令牌吗?
我想添加一个自定义 API 来删除以下几行的刷新令牌:
OAuth2RefreshToken oauth2RefreshToken=tokenStore.readRefreshToken(refreshToken);tokenStore.removeRefreshToken(oauth2RefreshToken);现在,查看 JwtTokenStore,我注意到它使用 ApprovalStore.所以我继续为我的 JwtTokenStore 提供了一个 InMemoryApprovalStore.我的 JwtTokenStore 实例化如下:
@Bean受保护的 JwtAccessTokenConverter jwtTokenEnhancer() {JwtAccessTokenConverter 转换器 = new JwtAccessTokenConverter();转换器.setSigningKey("123456");返回转换器;}@豆角,扁豆公共 JwtTokenStore getTokenStore(){tokenStore= new JwtTokenStore(jwtTokenEnhancer());tokenStore.setApprovalStore(new InMemoryApprovalStore());tokenStore.setTokenEnhancer(jwtTokenEnhancer());返回令牌存储;};结果:没有 InMemoryApprovalStore,我可以毫无问题地验证用户和刷新令牌.但是,一旦我将 InMemoryApprovalStore 添加到令牌存储中,我就会开始收到以下错误消息:
{ 错误": invalid_grant", ERROR_DESCRIPTION": 无效刷新令牌:eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDUwMjQ2MTcsInVzZXJfbmFtZSI6IjYzZjIyYjZlLWU5MGUtNDFjYS1iYzJlLTBmZTgzNmY3MTQ2NyIsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiMjgwMDgwNWQtMjk1Zi00ZDQzLWI2NTYtMDNlZWYwMWFkMjg0IiwiY2xpZW50X2lkIjoid2ViLWNsaWVudCIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsInRydXN0Il19.BPC0HqLYjWGM0IFjvsUGGKQ9dyIXSXwMhraCVFIxD0U"}因此,我的第二个问题是撤销刷新令牌的正确方法是什么?
我发现以下线程表明ApprovalStore 确实是撤销 JWT 令牌的方式.我现在只需要找出如何正确使用它们.
解决方案第一:有人可以确认没有类似于/oauth/token 的 API 允许我撤销刷新令牌吗?
已确认.
您不需要定义 JwtTokenStore bean,spring 会使用 AuthorizationServerEndpointsConfigurer
私有TokenStore tokenStore() {if (tokenStore == null) {if (accessTokenConverter() instanceof JwtAccessTokenConverter) {this.tokenStore = new JwtTokenStore((JwtAccessTokenConverter) accessTokenConverter());}别的 {this.tokenStore = new InMemoryTokenStore();}}返回 this.tokenStore;}私人 ApprovalStore 批准商店(){if (approvalStore == null && tokenStore() != null && !isApprovalStoreDisabled()) {TokenApprovalStore tokenApprovalStore = new TokenApprovalStore();tokenApprovalStore.setTokenStore(tokenStore());this.approvalStore = tokenApprovalStore;}返回 this.approvalStore;}因此,我的第二个问题是撤销刷新令牌的正确方法是什么?
撤销对令牌的批准,这是由 JwtTokenStore
private void remove(String token) {如果(批准商店!= null){OAuth2Authentication auth = readAuthentication(token);String clientId = auth.getOAuth2Request().getClientId();认证用户 = auth.getUserAuthentication();如果(用户!= null){收集批准 = 新的 ArrayList();对于(字符串范围:auth.getOAuth2Request().getScope()){批准.添加(新批准(user.getName(),clientId,范围,新日期(),ApprovalStatus.APPROVED));}批准商店.revokeApprovals(批准);}}}I am trying to find a way to revoke Oauth2 JWT Refresh Token with vanilla Spring implementation and JwtTokenStore.
First: can somebody confirm that there is no API similar to /oauth/token that allows me to revoke a refresh token?
I wanted to add a custom API that would delete the refresh token along the folowing lines:
OAuth2RefreshToken oauth2RefreshToken=tokenStore.readRefreshToken(refreshToken); tokenStore.removeRefreshToken(oauth2RefreshToken);Now, looking at the JwtTokenStore, I noticed that it uses an ApprovalStore. So I went ahead and provided an InMemoryApprovalStore to my JwtTokenStore. My JwtTokenStore instantiation this look as follows:
@Bean protected JwtAccessTokenConverter jwtTokenEnhancer() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey("123456"); return converter; } @Bean public JwtTokenStore getTokenStore(){ tokenStore= new JwtTokenStore(jwtTokenEnhancer()); tokenStore.setApprovalStore(new InMemoryApprovalStore()); tokenStore.setTokenEnhancer(jwtTokenEnhancer()); return tokenStore; };Results: with no InMemoryApprovalStore, I can authenticate users and refresh tokens without problems. However, as soon as I add InMemoryApprovalStore to the token store, I start getting the following error message:
{"error":"invalid_grant","error_description":"Invalid refresh token: eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDUwMjQ2MTcsInVzZXJfbmFtZSI6IjYzZjIyYjZlLWU5MGUtNDFjYS1iYzJlLTBmZTgzNmY3MTQ2NyIsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiMjgwMDgwNWQtMjk1Zi00ZDQzLWI2NTYtMDNlZWYwMWFkMjg0IiwiY2xpZW50X2lkIjoid2ViLWNsaWVudCIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsInRydXN0Il19.BPC0HqLYjWGM0IFjvsUGGKQ9dyIXSXwMhraCVFIxD0U"}My second question is thus what is the proper way to revoke a refresh token?
Edit: I found the following thread that suggests that ApprovalStore is indeed the way to revoke JWT tokens. I now just need to find out how to use them properly.
解决方案First: can somebody confirm that there is no API similar to /oauth/token that allows me to revoke a refresh token?
Confirmed.
You don't need to define JwtTokenStore bean, spring will create it for you using AuthorizationServerEndpointsConfigurer
private TokenStore tokenStore() { if (tokenStore == null) { if (accessTokenConverter() instanceof JwtAccessTokenConverter) { this.tokenStore = new JwtTokenStore((JwtAccessTokenConverter) accessTokenConverter()); } else { this.tokenStore = new InMemoryTokenStore(); } } return this.tokenStore; } private ApprovalStore approvalStore() { if (approvalStore == null && tokenStore() != null && !isApprovalStoreDisabled()) { TokenApprovalStore tokenApprovalStore = new TokenApprovalStore(); tokenApprovalStore.setTokenStore(tokenStore()); this.approvalStore = tokenApprovalStore; } return this.approvalStore; }
My second question is thus what is the proper way to revoke a refresh token?
revoke the approval for the token, this was used by JwtTokenStore
private void remove(String token) { if (approvalStore != null) { OAuth2Authentication auth = readAuthentication(token); String clientId = auth.getOAuth2Request().getClientId(); Authentication user = auth.getUserAuthentication(); if (user != null) { Collection<Approval> approvals = new ArrayList<Approval>(); for (String scope : auth.getOAuth2Request().getScope()) { approvals.add(new Approval(user.getName(), clientId, scope, new Date(), ApprovalStatus.APPROVED)); } approvalStore.revokeApprovals(approvals); } } }
更多推荐
撤销 JWT Oauth2 刷新令牌
发布评论