DMC/oauth2-authorization-server
0
0
Fork 0
Code Issues1 Pull Requests Actions Packages Projects Releases Wiki Activity

Token persististence #2

New Issue
Closed
opened 2025-03-28 10:23:58 +01:00 by ansv7779 · 1 comment
ansv7779 commented 2025-03-28 10:23:58 +01:00
Owner

Tokens are not persistent across restarts of the system. They should be, especially refresh tokens, as they are meant to have a longer life-time. While the access and id tokens are JSON Web Tokens (JWT) and can therefore still be verified using the public keys, refresh tokens are not. It is also not ideal that public key verification and token introspection give different results.

Tokens are not persistent across restarts of the system. They should be, especially refresh tokens, as they are meant to have a longer life-time. While the access and id tokens are [JSON Web Tokens (JWT)](https://datatracker.ietf.org/doc/html/rfc7519) and can therefore still be verified using the public keys, refresh tokens are not. It is also not ideal that public key verification and [token introspection](https://datatracker.ietf.org/doc/html/rfc7662) give different results.
ansv7779 commented 2025-03-28 10:34:38 +01:00
Author
Owner

The reason for this is that the default OAuth2AuthorizationService which is what persists tokens is InMemoryOAuth2AuthorizationService.

I have tried to switch it to a JdbcOAuth2AuthorizationService with the corresponding schema (with the blob columns changed to text). However, after doing so there are a lot of Jackson (de-)serialization errors that prevent it from working.

So the alternative seems to be to write our own OAuth2AuthorizationService but, given that the main method is save(OAuth2Authorization) and OAuth2Authorization has an attribute defined as Map<String, Object> that makes it rather tricky to persist.

The reason for this is that the default [OAuth2AuthorizationService](https://github.com/spring-projects/spring-authorization-server/blob/1.4.2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationService.java) which is what persists tokens is [InMemoryOAuth2AuthorizationService](https://github.com/spring-projects/spring-authorization-server/blob/1.4.2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java). I have tried to switch it to a [JdbcOAuth2AuthorizationService](https://github.com/spring-projects/spring-authorization-server/blob/1.4.2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java) with the [corresponding schema](https://github.com/spring-projects/spring-authorization-server/blob/1.4.2/oauth2-authorization-server/src/main/resources/org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql) (with the `blob` columns changed to `text`). However, after doing so there are a lot of Jackson (de-)serialization errors that prevent it from working. So the alternative seems to be to write our own OAuth2AuthorizationService but, given that the main method is `save(OAuth2Authorization)` and [OAuth2Authorization](https://github.com/spring-projects/spring-authorization-server/blob/1.4.2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java) has an attribute defined as `Map<String, Object>` that makes it rather tricky to persist.
Sign in to join this conversation.
No Label
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: DMC/oauth2-authorization-server#2
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?