Spring Boot + JWT: should tokens be checked against auth serverHow to configure port for a Spring Boot applicationBest practices for server-side handling of JWT tokensUse OpenID Connect Gluu authentication provider to secure Spring Boot Web App clientHow to properly supply legacy Firebase JWT token as “auth” to the REST API?Spring Cloud + Zuul + JWT for Value/Reference TokensCreating and Verifying JWT signature using public/private key in Spring boot securityJWT confusing. How does the application server authenticate?JWT token in Oauth2 SpringSSO with keyclock Spring boot and JWTDecode Spring Boot 2.1 OAuth2 encoded JWT on Resource Server
What does the term "railed" mean in signal processing?
What is wrong with this proof that symmetric matrices commute?
What's up with this leaf?
How to chain Python function calls so the behaviour is as follows
How did students remember what to practise between lessons without any sheet music?
Where does "0 packages can be updated." come from?
How did they achieve the Gunslinger's shining eye effect in Westworld?
Compiling c files on ubuntu and using the executable on Windows
Words that signal future content
Find the Factorial From the Given Prime Relationship
Why was the Sega Genesis marketed as a 16-bit console?
Are there downsides to using std::string as a buffer?
Passing multiple files through stdin (over ssh)
Winning Strategy for the Magician and his Apprentice
Inconsistent behavior of compiler optimization of unused string
"You've got another thing coming" - translation into French
When 2-pentene reacts with HBr, what will be the major product?
Can a user sell my software (MIT license) without modification?
Is it possible to 'live off the sea'
Chemmacros scheme translation
Why doesn’t a normal window produce an apparent rainbow?
Can anyone identify this tank?
Was there a priest on the Titanic who stayed on the ship giving confession to as many as he could?
What is the actual quality of machine translations?
Spring Boot + JWT: should tokens be checked against auth server
How to configure port for a Spring Boot applicationBest practices for server-side handling of JWT tokensUse OpenID Connect Gluu authentication provider to secure Spring Boot Web App clientHow to properly supply legacy Firebase JWT token as “auth” to the REST API?Spring Cloud + Zuul + JWT for Value/Reference TokensCreating and Verifying JWT signature using public/private key in Spring boot securityJWT confusing. How does the application server authenticate?JWT token in Oauth2 SpringSSO with keyclock Spring boot and JWTDecode Spring Boot 2.1 OAuth2 encoded JWT on Resource Server
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
As I understand a JWT contains a header, a payload and a signature.
The signature ensures the JWT integrity by encrypting the header and the payload with a secret.
Consequently, if the authentication (token) server and a resource server share the same secret the resource server should be able to validate the token by himself, and that's the purpose of these tokens.
Consequently I have two questions:
- why does Spring provides a
RemoteTokenServices, isn't it an anti-pattern ?
[EDIT] Answered this one myself:
In fact, the main issue using JWT without checking them against a token store is that we cannot revoke them. Using only the signature to check its authenticity, any token stays valid until it expires.
Checking the JWT against a token store allows us to revoke tokens and in this case, a valid JWT that has been revoked won't be accepted to authenticate a request.
Consequently, the only case it can be safe to use self-authenticating JWT is with very short expiration times.
- if I don't use this service, how can I achieve the token validation locally using only the secret ?
My current config of a resource server consulting a remote token service:
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Profile("!test")
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
@Value("$auth-server.url")
private String authEndpoint;
@Value("$security.oauth2.client.client-id")
private String clientId;
@Value("$security.oauth2.client.client-secret")
private String clientSecret;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId("ms/legacy");
@Override
public void configure(HttpSecurity http) throws Exception
http.authorizeRequests().anyRequest().permitAll().and().cors().disable().csrf().disable().httpBasic().disable()
.exceptionHandling()
.authenticationEntryPoint(
(request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.accessDeniedHandler(
(request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED));
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId("ms/legacy");
@Bean
public ResourceServerTokenServices tokenService()
RemoteTokenServices tokenServices = new RemoteTokenServices();
tokenServices.setClientId(clientId);
tokenServices.setClientSecret(clientSecret);
tokenServices.setCheckTokenEndpointUrl(authEndpoint + "/uaa/oauth/check_token");
return tokenServices;
spring-boot spring-security jwt
asked Mar 24 at 16:08
Pierre MardonPierre Mardon
388519
add a comment |
As I understand a JWT contains a header, a payload and a signature.
The signature ensures the JWT integrity by encrypting the header and the payload with a secret.
Consequently, if the authentication (token) server and a resource server share the same secret the resource server should be able to validate the token by himself, and that's the purpose of these tokens.
Consequently I have two questions:
- why does Spring provides a
RemoteTokenServices, isn't it an anti-pattern ?
[EDIT] Answered this one myself:
In fact, the main issue using JWT without checking them against a token store is that we cannot revoke them. Using only the signature to check its authenticity, any token stays valid until it expires.
Checking the JWT against a token store allows us to revoke tokens and in this case, a valid JWT that has been revoked won't be accepted to authenticate a request.
Consequently, the only case it can be safe to use self-authenticating JWT is with very short expiration times.
- if I don't use this service, how can I achieve the token validation locally using only the secret ?
My current config of a resource server consulting a remote token service:
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Profile("!test")
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
@Value("$auth-server.url")
private String authEndpoint;
@Value("$security.oauth2.client.client-id")
private String clientId;
@Value("$security.oauth2.client.client-secret")
private String clientSecret;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId("ms/legacy");
@Override
public void configure(HttpSecurity http) throws Exception
http.authorizeRequests().anyRequest().permitAll().and().cors().disable().csrf().disable().httpBasic().disable()
.exceptionHandling()
.authenticationEntryPoint(
(request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.accessDeniedHandler(
(request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED));
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId("ms/legacy");
@Bean
public ResourceServerTokenServices tokenService()
RemoteTokenServices tokenServices = new RemoteTokenServices();
tokenServices.setClientId(clientId);
tokenServices.setClientSecret(clientSecret);
tokenServices.setCheckTokenEndpointUrl(authEndpoint + "/uaa/oauth/check_token");
return tokenServices;
spring-boot spring-security jwt
asked Mar 24 at 16:08
Pierre MardonPierre Mardon
388519
add a comment |
As I understand a JWT contains a header, a payload and a signature.
The signature ensures the JWT integrity by encrypting the header and the payload with a secret.
Consequently, if the authentication (token) server and a resource server share the same secret the resource server should be able to validate the token by himself, and that's the purpose of these tokens.
Consequently I have two questions:
- why does Spring provides a
RemoteTokenServices, isn't it an anti-pattern ?
[EDIT] Answered this one myself:
In fact, the main issue using JWT without checking them against a token store is that we cannot revoke them. Using only the signature to check its authenticity, any token stays valid until it expires.
Checking the JWT against a token store allows us to revoke tokens and in this case, a valid JWT that has been revoked won't be accepted to authenticate a request.
Consequently, the only case it can be safe to use self-authenticating JWT is with very short expiration times.
- if I don't use this service, how can I achieve the token validation locally using only the secret ?
My current config of a resource server consulting a remote token service:
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Profile("!test")
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
@Value("$auth-server.url")
private String authEndpoint;
@Value("$security.oauth2.client.client-id")
private String clientId;
@Value("$security.oauth2.client.client-secret")
private String clientSecret;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId("ms/legacy");
@Override
public void configure(HttpSecurity http) throws Exception
http.authorizeRequests().anyRequest().permitAll().and().cors().disable().csrf().disable().httpBasic().disable()
.exceptionHandling()
.authenticationEntryPoint(
(request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.accessDeniedHandler(
(request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED));
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId("ms/legacy");
@Bean
public ResourceServerTokenServices tokenService()
RemoteTokenServices tokenServices = new RemoteTokenServices();
tokenServices.setClientId(clientId);
tokenServices.setClientSecret(clientSecret);
tokenServices.setCheckTokenEndpointUrl(authEndpoint + "/uaa/oauth/check_token");
return tokenServices;
spring-boot spring-security jwt
asked Mar 24 at 16:08
Pierre MardonPierre Mardon
388519
As I understand a JWT contains a header, a payload and a signature.
The signature ensures the JWT integrity by encrypting the header and the payload with a secret.
Consequently, if the authentication (token) server and a resource server share the same secret the resource server should be able to validate the token by himself, and that's the purpose of these tokens.
Consequently I have two questions:
- why does Spring provides a
RemoteTokenServices, isn't it an anti-pattern ?
[EDIT] Answered this one myself:
In fact, the main issue using JWT without checking them against a token store is that we cannot revoke them. Using only the signature to check its authenticity, any token stays valid until it expires.
Checking the JWT against a token store allows us to revoke tokens and in this case, a valid JWT that has been revoked won't be accepted to authenticate a request.
Consequently, the only case it can be safe to use self-authenticating JWT is with very short expiration times.
- if I don't use this service, how can I achieve the token validation locally using only the secret ?
My current config of a resource server consulting a remote token service:
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Profile("!test")
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter
@Value("$auth-server.url")
private String authEndpoint;
@Value("$security.oauth2.client.client-id")
private String clientId;
@Value("$security.oauth2.client.client-secret")
private String clientSecret;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId("ms/legacy");
@Override
public void configure(HttpSecurity http) throws Exception
http.authorizeRequests().anyRequest().permitAll().and().cors().disable().csrf().disable().httpBasic().disable()
.exceptionHandling()
.authenticationEntryPoint(
(request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.accessDeniedHandler(
(request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED));
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception
resources.resourceId("ms/legacy");
@Bean
public ResourceServerTokenServices tokenService()
RemoteTokenServices tokenServices = new RemoteTokenServices();
tokenServices.setClientId(clientId);
tokenServices.setClientSecret(clientSecret);
tokenServices.setCheckTokenEndpointUrl(authEndpoint + "/uaa/oauth/check_token");
return tokenServices;
spring-boot spring-security jwt
spring-boot spring-security jwt
asked Mar 24 at 16:08
Pierre MardonPierre Mardon
388519
asked Mar 24 at 16:08
Pierre MardonPierre Mardon
388519
edited Mar 24 at 21:08
Pierre Mardon
asked Mar 24 at 16:08
Pierre MardonPierre Mardon
388519
asked Mar 24 at 16:08
Pierre MardonPierre Mardon
388519
asked Mar 24 at 16:08
Pierre MardonPierre Mardon
388519
388519
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
- why does Spring provides a RemoteTokenServices, isn't it an anti-pattern ?
Spring is a flexible framework that will offer to you different implementations
, it give you the choice to choose what the best implementation to fit your needs
- if I don't use this service, how can I achieve the token validation locally using only the secret ?
token validation locally :
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter
@Override
public void configure(ResourceServerSecurityConfigurer config)
config.tokenServices(tokenServices());
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
return converter;
@Bean
@Primary
public DefaultTokenServices tokenServices()
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
answered Mar 24 at 16:49
DenoxusDenoxus
496311
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55325773%2fspring-boot-jwt-should-tokens-be-checked-against-auth-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
- why does Spring provides a RemoteTokenServices, isn't it an anti-pattern ?
Spring is a flexible framework that will offer to you different implementations
, it give you the choice to choose what the best implementation to fit your needs
- if I don't use this service, how can I achieve the token validation locally using only the secret ?
token validation locally :
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter
@Override
public void configure(ResourceServerSecurityConfigurer config)
config.tokenServices(tokenServices());
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
return converter;
@Bean
@Primary
public DefaultTokenServices tokenServices()
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
answered Mar 24 at 16:49
DenoxusDenoxus
496311
add a comment |
- why does Spring provides a RemoteTokenServices, isn't it an anti-pattern ?
Spring is a flexible framework that will offer to you different implementations
, it give you the choice to choose what the best implementation to fit your needs
- if I don't use this service, how can I achieve the token validation locally using only the secret ?
token validation locally :
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter
@Override
public void configure(ResourceServerSecurityConfigurer config)
config.tokenServices(tokenServices());
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
return converter;
@Bean
@Primary
public DefaultTokenServices tokenServices()
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
answered Mar 24 at 16:49
DenoxusDenoxus
496311
add a comment |
- why does Spring provides a RemoteTokenServices, isn't it an anti-pattern ?
Spring is a flexible framework that will offer to you different implementations
, it give you the choice to choose what the best implementation to fit your needs
- if I don't use this service, how can I achieve the token validation locally using only the secret ?
token validation locally :
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter
@Override
public void configure(ResourceServerSecurityConfigurer config)
config.tokenServices(tokenServices());
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
return converter;
@Bean
@Primary
public DefaultTokenServices tokenServices()
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
answered Mar 24 at 16:49
DenoxusDenoxus
496311
- why does Spring provides a RemoteTokenServices, isn't it an anti-pattern ?
Spring is a flexible framework that will offer to you different implementations
, it give you the choice to choose what the best implementation to fit your needs
- if I don't use this service, how can I achieve the token validation locally using only the secret ?
token validation locally :
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter
@Override
public void configure(ResourceServerSecurityConfigurer config)
config.tokenServices(tokenServices());
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter()
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
return converter;
@Bean
@Primary
public DefaultTokenServices tokenServices()
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
answered Mar 24 at 16:49
DenoxusDenoxus
496311
answered Mar 24 at 16:49
DenoxusDenoxus
496311
answered Mar 24 at 16:49
DenoxusDenoxus
496311
answered Mar 24 at 16:49
DenoxusDenoxus
496311
496311
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55325773%2fspring-boot-jwt-should-tokens-be-checked-against-auth-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
