How to properly revoke authorization after token expiration?

  • 0
    There is an authorization service for Spring Security

    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.inMemory()
              .withClient("...")
              .secret("...")
              .autoApprove(true)
              .authorizedGrantTypes("password", "authorization_code", "refresh_token")
              .scopes("read","write")
              .accessTokenValiditySeconds(5)
              .refreshTokenValiditySeconds(60);
        }


    Customer available

    public void configure(HttpSecurity http) throws Exception {
            http
                    .csrf().disable()
                    .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true).clearAuthentication(true).permitAll()
                    .and().antMatcher("/**").authorizeRequests()
                    .antMatchers("/login", "/logout").permitAll()
                    .anyRequest().authenticated();
        }


    The client is authorized and refreshes the authorization without any problems using the refresh_token, but if the refresh_token lifetime has expired, the client continues to consider that the user is authorized. Although the authorization service returned the error "Handling error: InvalidTokenException, Invalid refresh token (expired): eyJhbG ...."

    How to properly configure authorization so that after the token lifetime expires, the user is redirected to the authorization page?
    Java Anonymous, Oct 28, 2020

  • 0 Answers
Your Answer
To place the code, please use CodePen or similar tool. Thanks you!