how to use redis to persist token using spring-security-oauth2

Question

It is my first time developing an application with OAuth2 approach. I started based on certain tutorial and I am moving forward from this (http://websystique.com/spring-security/secure-spring-rest-api-using-oauth2/).

I will deploy the application to clustered WebSpheres so, as far as I understand in-memory will not work (... clients.inMemory().withClient ...).

I want to use Redis (my first use as well) and I am bit confused how to settup it in certain no-xml java config app.

I found certain similar question with xml but I am still with no north for a first try (Redis Token Store). Interesting, here, the question owner talked about about "Spring-Security OAuth i.e. 2.8.0 provides RedisTokenStore" but I found "2.0.12.RELEASE" as latest mvn release version.

That said, my straight question is: how can I adjust the code bellow to rely on Redis instead of in-memory?

Any comment on how to setup RedisTokenStore bellow will be appreciatted.

Additionally, if it is easy to add such additional comment, what is the difference between ".passwordEncoder" and ".secret"? The code bellow relies on ".secret" with hard-coded expression (fixed value) while I see few examples using jdbc with ".passwordEncoder filled in by springframework.security.crypto.bcrypt.BCryptPasswordEncoder" which seems to make more sense. Am I right when I guess either I use ".secret" or ".passwordEncoder"? Am I right when I think secret stands for fixed value and passwordEncoder for dinamic ones?

(example using ".passwordEncoder" and clients.jdbc https://github.com/spring-projects/spring-security-oauth/blob/master/tests/annotation/jdbc/src/main/java/demo/Application.java#L102)

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    private static String REALM="MY_OAUTH_REALM";

    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private UserApprovalHandler userApprovalHandler;

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

        clients.inMemory()
            .withClient("abc-trusted-client")
            .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
            .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
            .scopes("read", "write", "trust")
            .secret("abc-secret")
            .accessTokenValiditySeconds(120).//Access token is only valid for 2 minutes.
            refreshTokenValiditySeconds(600);//Refresh token is only valid for 10 minutes.
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
                .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.realm(REALM+"/client");
    }

}

Answer 1

If using Spring Boot, add the dependency to pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>

Setup Redis connection with the appropiate parameters in application.properties:

spring.redis.host=localhost
spring.redis.password=secret
spring.redis.port=6379

Then, add this to your AuthorizationServerConfiguration class and you should be ready to go:

@Bean
public TokenStore tokenStore(RedisConnectionFactory redisConnectionFactory) {
    return new RedisTokenStore(redisConnectionFactory);
}

Answer 2

Here,I set up a oauth2 authrizion [server]: https://github.com/zth390872451/oauth2-redis-mysql，If you were Chinese，you can read this blog .If not,I'm sorry about that! This project of the github，I use the oauth-server as the authorization server,it use the redis to store the accesstoken，you just only use to configure the datasource and redis! Through copy two class ,there: AuthAuthorizeConfig and DataStoreConfig ,you can use the redis to store token!

Answer 3

If using Spring Boot, add the dependency to pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-redis</artifactId>
    <optional>true</optional>
</dependency>

Setup Redis connection with the appropiate parameters in application.properties:

spring.redis.host=localhost
spring.redis.password=secret
spring.redis.port=6379

Then, add this to your AuthorizationServerConfiguration class and you should be ready to go:

@Bean
public TokenStore tokenStore(RedisConnectionFactory redisConnectionFactory) {
    final RedisTokenStore redisTokenStore = new RedisTokenStore(redisConnectionFactory);
    final TokenApprovalStore tokenApprovalStore = new TokenApprovalStore();
    tokenApprovalStore.setTokenStore(redisTokenStore);
    final JwtTokenStore jwtTokenStore = new JwtTokenStore(accessTokenConverter());
    jwtTokenStore.setApprovalStore(tokenApprovalStore);
    return jwtTokenStore;
}