Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Redis Token Store

Tags:

java

spring

oauth

I want to deploy my REST API on a clustered environment. For that, I need to store my OAuth 2.0 tokens in a shared Token store. Currently I'm using Spring Security's InMemoryTokenStore, which can't be shared on multi node cluster. I'm planning to store tokens using Redis.

I found that the latest release of Spring-Security OAuth i.e. 2.8.0 provides RedisTokenStore also. I've some doubts regarding this:

  1. What changes are required for using RedisTokenStore in the existing spring-security xml configuration. Currently I'm using InMemoryTokenStore.

  2. How to make RedisTokenStore shareable with all nodes in the cluster.

  3. Can I use a Redis cluster to store the tokens, in case yes How?

like image 429
Rishab Avatar asked Nov 17 '15 10:11

Rishab


People also ask

Is it safe to store access token in Redis?

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.

Where should tokens be stored?

If any of the third-party scripts you include in your page is compromised, it can access all your users' tokens. To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server.

Should I store DB refresh token?

Do not store or use OAuth access tokens or refresh tokens on web or mobile clients. OAuth access tokens and refresh tokens should be encrypted and stored in a secure database.


1 Answers

About first question:

First, give you spring-security xml example about redis token store to reference

<!--Use Redis Token Store-->
<beans:bean id="tokenStore"
            class="org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore">
    <beans:constructor-arg name="connectionFactory" ref="redisConnectionFactory"/>
</beans:bean>

<!--create redis connection factory and set db 1-->
<beans:bean id="redisConnectionFactory"
            class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory">
    <beans:property name="hostName" value="localhost"/>
    <beans:property name="port" value="6379"/>
    <beans:property name="password" value=""/>
    <beans:property name="database" value="1"/>
</beans:bean>

Second, you need add spring data redis and jedis jar into your project, I use gradle, add items in dependencies like:

......
compile 'org.springframework.data:spring-data-redis:1.6.2.RELEASE'
compile 'redis.clients:jedis:2.8.0'
......

About sencond question:

If your all nodes of one cluster use one reids server or cluster, your access token will share among all nodes. You can check your redis db data, and track access process to verify this. So you don't worry about it.

like image 85
Gino Avatar answered Oct 14 '22 09:10

Gino