Spring-security-oauth: Stateless Spring OAuth2 client application

Created on 1 Mar 2016  路  3Comments  路  Source: spring-projects/spring-security-oauth

Client app of Spring OAuth2 has some session scoped beans such as OAuth2ClientContext, that are used to store access tokens (that are later sent to APIs) and states (for preventing CSRF). That is OK if there is only one client app. But what if I want to scale it horizontally? I can see only two ways - one is to share session between scaled apps (for example using Redis), other - to store all the necessary data for OAuth2 client in a user browser (cookies?..) and in a such way make app stateless. Questions would be:

  • Is it safe to store information that OAuth2 client requires to be stored in a session scoped bean to be stored in a user browser?
  • Are there any other ways to make client app stateless?
stackoverflow

Most helpful comment

But it (JWT token) can be signed by authorization server and all resource servers can verify that signature. So if client changes JWT token, it will not be accepted by resource servers. Am I missing something?

All 3 comments

I am experiencing the same issue on my current project during my day job. We are building a new application that has an Angular UI which talkes with a REST API built with Spring. I implemented the security part with Spring Security OAuth2 but also noticed that the OAuth2ClientContext is a session scoped bean. Devops guys are asking me if it's possible to get rid of the session as they want the application to be 100% stateless if possible so they don't need manage sessions when deploying the application in a cluster.

You cannot store that information in the browser because it can be changed by the client. Instead, you can use something like Spring Session to back your session with Redis, Mongo, etc.

But it (JWT token) can be signed by authorization server and all resource servers can verify that signature. So if client changes JWT token, it will not be accepted by resource servers. Am I missing something?

Was this page helpful?
0 / 5 - 0 ratings