Spring-security-oauth: Persist JWT token in database

Created on 2 Feb 2016  路  10Comments  路  Source: spring-projects/spring-security-oauth

I would like to use JwtTokenStore but persist tokens in database, like a JdbcTokenStore does. I have a authorization server that are apart from resource server, in other words, each one in their project, that don麓t share memory. if I use JwtTokenStore, that maintain tokens in memory, how a resource server will access the token that have been issued by authorization server?

stackoverflow

Most helpful comment

Unless I'm missing something, persisting JWT tokens is irrelevant since JWT tokens are self contained, everything you need to know is in that token. What you need is an endpoint on the authorization server to validate the signature of the JWT token so that the resource server can use it and trust it.

Spring security oauth provides a check_token endpoint in CheckTokenEndpoint but you might have to modify it to support JWT tokens. On the resource server, you can use the class RemoteTokenServices who ping the check_token endpoint to validate the token and authenticate the request.

Other option is to share the secret key between the 2 services so that the resource server can validate the signature of the JWT token but it is a bad practice IMO. Good luck!

All 10 comments

Unless I'm missing something, persisting JWT tokens is irrelevant since JWT tokens are self contained, everything you need to know is in that token. What you need is an endpoint on the authorization server to validate the signature of the JWT token so that the resource server can use it and trust it.

Spring security oauth provides a check_token endpoint in CheckTokenEndpoint but you might have to modify it to support JWT tokens. On the resource server, you can use the class RemoteTokenServices who ping the check_token endpoint to validate the token and authenticate the request.

Other option is to share the secret key between the 2 services so that the resource server can validate the signature of the JWT token but it is a bad practice IMO. Good luck!

Thank you jebeaudet.

It's some time ago. But i prefer to store the JWT Tokens too. The benefit is you can revoke tokens (for critical operations i would like to do a extra check against the OAUTH Provider) from users and you can track all genereated tokens. But you are able to pre check tokens in memory, so you are much more secure against DDOS. A other advantage is you can check the token on client side for expiration. But i don't agree that memory only tokens are the best solution in JWT context. I already implement a JWT solution with persistence, unfortunately without OAUTH2 ...

Other thing, i cannot persist the IP-Address on GrantType password when i create a token for a specific user?

+1

Storing the tokens gives realtime auditing of what tokens are issued.
Also, storing the token give you the ability to scale the auth server with multiple instances (for uptime, blue-green deployment, and load scalability/performance)

Those use cases (scaling and auditing) are already covered by the existing token services, in conjunction with an approval store. There are many instances of production services running with JdbcApprovalStore. I don't think you need anything else.

@dsyer - thanks for the reply.
I have done some further research and configuration with the JWTToken store and it makes sense not to have a database backed approval store because of it's self-contained and stateless nature.

Please who can explain using JdbcApprovalStore alongside JwtTokenStore. I used from it but I get refresh token invalid response.
{
"error": "invalid_grant",
"error_description": "Invalid refresh token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsib2F1dGgyLXNlcnZlciJdLCJ1c2VyX25hbWUiOiJuYXNpYnVsbG9oLjEzQGdtYWlsLmNvbSIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsInRydXN0Il0sImF0aSI6IjBhMDJkNDYzLTQ1YzQtNDM0MC1iM2QxLWNmNjFjODdkNGM1NSIsImF1dGhvcml0aWVzIjpbIlJPT1QiXSwianRpIjoiOTdkYWYzNGItMmU2NC00ZThlLWE1Y2UtYjIxYmU2NDk1ZmJlIiwiY2xpZW50X2lkIjoibGl0ZW1kIn0.I0fCd07tFPhErB4mEexogB9yZA3fTtLKFwgzCcBUNAM"
}

Or maybe I'm using not right way? for example when I use JdbcApprovalStgore and create database tables like this
create table if not exists oauth_approvals (
userId VARCHAR(256),
clientId VARCHAR(256),
scope VARCHAR(256),
status VARCHAR(10),
expiresAt TIMESTAMP,
lastModifiedAt TIMESTAMP NULL DEFAULT NULL
); in mysql .
But many examples of this table I saw "lastModifiedAt" field must to be only TIMESTAMP but it requires set to default value

Who has an example to use this way , please help me.

+1. looking for a way to revoke jwt tokens

Was this page helpful?
0 / 5 - 0 ratings