How does Spring Security OAuth2 know when a token expires?

1
votes

I added a JDBC token store and added the SQL from https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql (except the 1st and last tables). Then I fetched a token:

$ curl -u xxx:123456 http://localhost:8080/oauth/token -d grant_type=client_credentials -d client_id=xxx -d client_secret=123456 -d scope=write

{"access_token":"0cbd0733-2c37-400b-abd7-5d1507c2204f","token_type":"bearer","expires_in":42498,"scope":"write"}

The only table with a timestamp is oauth_approvals but it's empty!

MariaDB [xxxxxx]> select * from oauth_approvals;
Empty set (0.00 sec)

So how does Spring know when a token expires?

I restarted the server and verified the token still works and was the same token.

2
springspring-securityspring-security-oauth2

2 Answers

0
votes

If you're using Oauth with JWT (json web token) then check this article: https://jwt.io/introduction/

JSON Web Tokens consist of three parts separated by dots (.), which are: Header Payload Signature Therefore, a JWT typically looks like the following. xxxxx.yyyyy.zzzzz

The payload contains claims which represent information about an entity and the token itself. Among those claims is: iss (issuer), exp (expiration time), sub (subject), aud (audience).

So basically the expiration time is in the token and can be verified using the token itself.

The payload may not contain an exp claim => the token does not expire.

0
votes

A late answer but here it goes.

You are actually using the client_credentials grant type which means you are not authorizing your client application on behalf of a Resource owner but instead you are accessing your own account (without any username/password). Therefore the oauth_approvals will not be populated. In fact this table is only used for the authorization_code grant type when a Resource owner "authorize" the Client to access his account on his behalf.

Based on your question the tables that should have been populated are:

  • oauth_access_token: Which principal and clientId are using what access_token. In this table the token column stores all the information including the expiration time that you were asking for.
  • oauth_refresh_token: The refresh token to request a new access token after it will expired.

This table oauth_client_details holds the client information. You stated that you are not using it so I assume you are storing in-memory the Client details.

Read more about the oAuth2 protocol here: https://oauth.net/2/