grails-spring-security-core icon indicating copy to clipboard operation
grails-spring-security-core copied to clipboard

Published 20 hours ago verified publisher icon grails

Add support for revoking tokens

Open alvarosanchez opened this issue 9 years ago • 5 comments

alvarosanchez avatar Aug 29 '16 17:08 alvarosanchez

Hi!

I just wanted to ask what the status of this issue was and if there was anything I could do to help with this? My colleagues and I are highly interested in this functionality and would love to provide any help if possible.

jeffbliss avatar Sep 20 '16 18:09 jeffbliss

It's planned for the next milestone. You can track its progress at https://github.com/alvarosanchez/grails-spring-security-rest/milestone/39

alvarosanchez avatar Oct 03 '16 09:10 alvarosanchez

I'm not being pushy or anything and I know you all really busy with Micronaut stuffs, but do you have a time frame about this feature? Its almost 2 years since the last reply :)

Thx again

antondelpiero avatar Jul 26 '18 10:07 antondelpiero

There's already partial support for revoking tokens. You just have to implement the tokenStorageService.removeToken method to add to your own block list and then override the loadUserByToken method to check the tokenValue for the block list before returning the UserDetails.

Although, there is one bit missing from this. The default RestLogoutFilter (which we want to use to blacklist tokens when the user explicitly logs out), doesn't call removeToken for the refreshToken, only the accessToken.

I think it should also call tokenStorageService.removeToken for accessToken.refreshToken as well, otherwise if someone has stolen the token, they can just use the refreshToken to request a new one.

I can submit a PR for this if it's helpful.

longwa avatar Apr 02 '20 22:04 longwa

https://github.com/grails/grails-spring-security-rest/pull/521 will add the necessary endpoints to implement revocation support.

jdaugherty avatar Sep 27 '24 15:09 jdaugherty