spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

How-to: Configure and use opaque tokens

Open vishu221b opened this issue 2 years ago • 3 comments

Publish a guide on How-to: Configure and use opaque tokens

Description Currently there are resources around how to configure and set up JWT token flow but the resources around how to configure and use opaque tokens are missing. This would be useful for those cases where the need is not to expose any data (even to the resource owner) available in JWT claims which can be decoded and accessed by anyone having access to the JWT token.

recommended for inclusion in: gh-499

vishu221b avatar Feb 24 '23 04:02 vishu221b

@vishu221b, thanks for suggesting this!

I thought we already had an "opaque tokens" how-to issue, but I can't seem to find one. At the moment, I'm not sure this topic rises to the level of needing a how-to guide because it is covered in the reference, but perhaps others in the community can chime in (and 👍 the issue) to let us know.

For the time being, see this comment for some resources:

Regardless, I think the main question being asked here is "How do I use opaque tokens?" which is covered in the reference manual (simply set TokenSettings#accessTokenFormat(OAuth2TokenFormat.SELF_CONTAINED) on the RegisteredClient.tokenSettings). You can use the JdbcOAuth2AuthorizationService (or provide your own) to store tokens in the database.

Also, take a look at Configuring and Extending Spring Authorization Server (recent talk from SpringOne Essentials in January, 2023) where we configure and demo use of opaque tokens.

sjohnr avatar Mar 03 '23 15:03 sjohnr

I'd like to know how to perform MockMVC tests with opaque tokens when the Authorization Server and the Resource Server are in the same app.

I found https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/oauth2/resource-server/opaque this example, but it uses a standalone authorization server when testing, and dose not told us how to modify it to bundle an authorization server into it.

I tried to modify the jwt token based client to a opaque token client, and set the introspectionUri to http://localhost:8080/oauth2/introspect, but failed, because the mock server's port is random generated, and I don't want to hard code it to 8080 as the testing progress maybe parallel.

DevDengChao avatar Apr 13 '23 08:04 DevDengChao

@DevDengChao, thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. Feel free to update this issue with a link to the re-posted question (so that other people can find it).

If you would like to submit a request for a How-to guide, please open a new issue linked to gh-499.

sjohnr avatar Apr 14 '23 20:04 sjohnr