Delete access_token after logout

Question

i have a little question.

At the moment my Spring configuration uses the DefaultTokenServices (provided by the spring-security-oauth2-2.0.0.M3.jar). It generates correctly the access_token.

Now what i will do is to cancel/delete/remove/revoke this token when i do a logout.

In the security.xml i configured the logout in the http tag:

<sec:logout logout-url="/logout" logout-success-url="/auth" invalidate-session="true" delete-cookies="true" />

and the redirection is successfully. But if i write a test doing a login, logout and after i try to access a restricted path with this access_token i can get a successful request, but i expect a Not authorized Error. Why?

How can i configure the logout that the access_token are automatically deleted to force an new login?

Answer 1

The lifetime of the access_token is independent of the login session of a user who grants access to a client. OAuth2 has no concept of a user login or logout, or a session, so the fact that you expect a logout to revoke a token, would seem to indicate that you're misunderstanding how OAuth2 works. You should probably clarify in your question why you want things to work this way and why you need OAuth.

If you really want this behaviour, then you would have to code it yourself (in a custom Spring Security LogoutHandler, for example), but the lifetime of a token is normally governed by its expiry time. Token revocation would usually be a separate interface provided to the user, allowing them to prematurely revoke access to their resources for one or more clients - something like Twitter's third-party applications access.

Answer 2

At the end I followed this link

And in the LogoutHandlerFilter i call the TokenService.revokeToken() method.