Spring Security OAuth2吊销令牌不起作用

Question

我的Spring Boot应用程序中有以下配置：

@Configuration
public class SecurityConfig {

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public static class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyUserDetailsService userDetailsService;

    @Autowired
    private BCryptPasswordEncoder passwordEncoder;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

@Configuration
@EnableAuthorizationServer
public static class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private MyUserDetailsService userDetailsService;

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Autowired
    @Qualifier("myOauth2ClientDetailsService")
    private ClientDetailsService clientDetailsService;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.withClientDetails(clientDetailsService);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        // set custom exception translator
        endpoints.exceptionTranslator(e -> {
            if (e instanceof OAuth2Exception) {
                OAuth2Exception exception = (OAuth2Exception) e;
                return ResponseEntity
                        .status(exception.getHttpErrorCode())
                        .body(new MyWLoginException(exception.getMessage()));
            } else {
                throw e;
            }
        });
        // other settings
        TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
        tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), accessTokenConverter()));
        endpoints.authenticationManager(authenticationManager).userDetailsService(userDetailsService).tokenStore(tokenStore())
                .tokenEnhancer(tokenEnhancerChain);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey("123");
        return converter;
    }

    @Bean
    public TokenEnhancer tokenEnhancer() {
        return new MyTokenEnhancer();
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        defaultTokenServices.setSupportRefreshToken(true);
        return defaultTokenServices;
    }
}

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(-10)
public static class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.addFilterAfter(new AuditorFilter(), BasicAuthenticationFilter.class)
                .headers().frameOptions().disable()
             .and().csrf().disable()
             .authorizeRequests()
                .antMatchers("/img/**").permitAll()
                .anyRequest().authenticated();

    }

    @Override
    public void configure(ResourceServerSecurityConfigurer config) {
        config.tokenServices(tokenServices());
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        DefaultAccessTokenConverter defaultAccessTokenConverter = new DefaultAccessTokenConverter();
        defaultAccessTokenConverter.setUserTokenConverter(userAuthenticationConverter());
        converter.setAccessTokenConverter(defaultAccessTokenConverter);
        converter.setSigningKey("123");
        return converter;
    }

    @Bean
    public UserAuthenticationConverter userAuthenticationConverter() {
        return new MyUserAuthenticationConverter();
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }
}

}

另外，我有一个特殊的端点来撤消令牌，该令牌通过以下方法处理请求：

@Autowired
private TokenStore tokenStore;
@Autowired
private AuthorizationServerTokenServices authorizationServerTokenServices;
@Autowired
private ResourceServerTokenServices resourceServerTokenServices;
...
final String tokenValue = ((OAuth2AuthenticationDetails) SecurityContextHolder.getContext().getAuthentication().getDetails()).getTokenValue();
        final OAuth2AccessToken token = tokenStore.readAccessToken(tokenValue);
        tokenStore.removeAccessToken(token);
        boolean authRemoved = ((DefaultTokenServices) authorizationServerTokenServices).revokeToken(tokenValue); // <- true
        boolean resourceRemoved = ((DefaultTokenServices) resourceServerTokenServices).revokeToken(tokenValue); // <- true
        SecurityContextHolder.getContext().setAuthentication(null);

没有任何错误。 我看到令牌服务返回true （已删除）。 但是，当我使用旧的访问令牌调用任何终结点时，它就像该令牌仍然存在一样工作。 但是我从身份验证服务器和资源服务器上都删除了令牌。 如何解决这个问题？

Answer 1

令牌吊销无法使用JWT进行，因为它所嵌入的令牌已过期。 授权服务器发出后将不会捕获有关令牌的任何信息。 因此，也许您应该尝试在授权服务器中使用JdbcTokenStore将令牌保存在数据库中，然后根据需要将其吊销（或者也可以将其保存在内存中）。 如果您的应用程序分开，则可以使用RemoteTokenServices来验证令牌。

这是一个教程，向您展示如何完成此操作。