Okta spring security OAuth revoke token

Hekmil · June 11, 2021, 9:30am

Hi,

I’m using Spring security to secure a webapp using the Okta spring boot starter dependency. I just noticed that if a user accessing the app is getting deactivated while he is connected to the app, he can refresh the page and still stays connected.

I’m looking for revoking the access token of the user and block him the access. But using the API to revoke access did work (200 OK status) but nothing changes when refreshing the page.

Is there another working way to achieve this ?

Thanks

andrea · June 15, 2021, 11:54pm

The web apps tend to only ensure that the token that was issued has not yet expired, per the ‘exp’ claim within it. Are you working on a resource server (access tokens are sent to the server as Bearer auth and the server validates them before returning the requested resource) or a web app?

The only way to catch that a token has been revoked would be to do remote token validation/introspection using the /introspect endpoint. That endpoint will return active: false after the token is revoked.

Our Spring Boot Starter supports opaque token validation (which will involve an introspect call) if that is what you are working on. See its README that describes how to configure that.

Configure your Resource Server either for JWT or Opaque Token validation by extending the WebSecurityConfigurerAdapter class and overriding the configure method. If neither JWT nor Opaque Token is specified in configuration, JWT validation will be used by default.

Hekmil · June 16, 2021, 7:15am

I’m working on a webapp acting as a custom Dashboard for Okta.

Using Postman I’m checking the /introspect endpoint to see if the access token is revoked or not. I should revoke it by API inside my webapp then tells the it to call /instrospect ?

Your explanation is for Resource Server so I’m my case it’s not what I should aim right ?

Here is my WebSecurityConfigurerAdapter class :

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.headers().disable();
        http.csrf().disable();
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and().logout();
    }

    @Override
    public void configure(WebSecurity web) {
        web.ignoring().antMatchers(
                "/VAADIN/**",
                "/favicon.ico",
                "/robots.txt",
                "/manifest.webmanifest",
                "/sw.js",
                "/offline.html",
                "/icons/**",
                "/images/**",
                "/styles/**",
                "/h2-console/**");
    }
}

And how I’m getting the access token inside the flow :

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication.getPrincipal() instanceof OidcUser) {
            oidcUser = ((OidcUser) authentication.getPrincipal());
            userClaims = oidcUser.getClaims();
        }