Revoke JWT Oauth2 Refresh Token

Klaus picture Klaus · Sep 16, 2015 · Viewed 7.2k times · Source

I am trying to find a way to revoke Oauth2 JWT Refresh Token with vanilla Spring implementation and JwtTokenStore.

First: can somebody confirm that there is no API similar to /oauth/token that allows me to revoke a refresh token?

I wanted to add a custom API that would delete the refresh token along the folowing lines:

OAuth2RefreshToken oauth2RefreshToken=tokenStore.readRefreshToken(refreshToken);
tokenStore.removeRefreshToken(oauth2RefreshToken);

Now, looking at the JwtTokenStore, I noticed that it uses an ApprovalStore. So I went ahead and provided an InMemoryApprovalStore to my JwtTokenStore. My JwtTokenStore instantiation this look as follows:

@Bean
protected JwtAccessTokenConverter jwtTokenEnhancer() {
    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
    converter.setSigningKey("123456");
    return converter;
}

@Bean
public JwtTokenStore getTokenStore(){
    tokenStore= new JwtTokenStore(jwtTokenEnhancer());
    tokenStore.setApprovalStore(new InMemoryApprovalStore());
    tokenStore.setTokenEnhancer(jwtTokenEnhancer());
    return tokenStore;
};

Results: with no InMemoryApprovalStore, I can authenticate users and refresh tokens without problems. However, as soon as I add InMemoryApprovalStore to the token store, I start getting the following error message:

{"error":"invalid_grant","error_description":"Invalid refresh token: eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDUwMjQ2MTcsInVzZXJfbmFtZSI6IjYzZjIyYjZlLWU5MGUtNDFjYS1iYzJlLTBmZTgzNmY3MTQ2NyIsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiMjgwMDgwNWQtMjk1Zi00ZDQzLWI2NTYtMDNlZWYwMWFkMjg0IiwiY2xpZW50X2lkIjoid2ViLWNsaWVudCIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsInRydXN0Il19.BPC0HqLYjWGM0IFjvsUGGKQ9dyIXSXwMhraCVFIxD0U"}

My second question is thus what is the proper way to revoke a refresh token?

Edit: I found the following thread that suggests that ApprovalStore is indeed the way to revoke JWT tokens. I now just need to find out how to use them properly.

Answer

MangEngkus picture MangEngkus · Sep 17, 2015

First: can somebody confirm that there is no API similar to /oauth/token that allows me to revoke a refresh token?

Confirmed.

You don't need to define JwtTokenStore bean, spring will create it for you using AuthorizationServerEndpointsConfigurer

private TokenStore tokenStore() {
    if (tokenStore == null) {
        if (accessTokenConverter() instanceof JwtAccessTokenConverter) {
            this.tokenStore = new JwtTokenStore((JwtAccessTokenConverter) accessTokenConverter());
        }
        else {
            this.tokenStore = new InMemoryTokenStore();
        }
    }
    return this.tokenStore;
}

private ApprovalStore approvalStore() {
    if (approvalStore == null && tokenStore() != null && !isApprovalStoreDisabled()) {
        TokenApprovalStore tokenApprovalStore = new TokenApprovalStore();
        tokenApprovalStore.setTokenStore(tokenStore());
        this.approvalStore = tokenApprovalStore;
    }
    return this.approvalStore;
}

My second question is thus what is the proper way to revoke a refresh token?

revoke the approval for the token, this was used by JwtTokenStore

private void remove(String token) {
    if (approvalStore != null) {
        OAuth2Authentication auth = readAuthentication(token);
        String clientId = auth.getOAuth2Request().getClientId();
        Authentication user = auth.getUserAuthentication();
        if (user != null) {
            Collection<Approval> approvals = new ArrayList<Approval>();
            for (String scope : auth.getOAuth2Request().getScope()) {
                approvals.add(new Approval(user.getName(), clientId, scope, new Date(), ApprovalStatus.APPROVED));
            }
            approvalStore.revokeApprovals(approvals);
        }
    }
}