I want to deploy my REST API on a clustered environment. For that, I need to store my OAuth 2.0 tokens in a shared Token store. Currently I'm using Spring Security's InMemoryTokenStore, which can't be shared on multi node cluster. I'm planning to store tokens using Redis.
I found that the latest release of Spring-Security OAuth i.e. 2.8.0 provides RedisTokenStore also. I've some doubts regarding this:
What changes are required for using RedisTokenStore in the existing spring-security xml configuration. Currently I'm using InMemoryTokenStore.
How to make RedisTokenStore shareable with all nodes in the cluster.
Can I use a Redis cluster to store the tokens, in case yes How?
Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.
If any of the third-party scripts you include in your page is compromised, it can access all your users' tokens. To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server.
Do not store or use OAuth access tokens or refresh tokens on web or mobile clients. OAuth access tokens and refresh tokens should be encrypted and stored in a secure database.
About first question:
First, give you spring-security xml example about redis token store to reference
<!--Use Redis Token Store-->
<beans:bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore">
<beans:constructor-arg name="connectionFactory" ref="redisConnectionFactory"/>
</beans:bean>
<!--create redis connection factory and set db 1-->
<beans:bean id="redisConnectionFactory"
class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory">
<beans:property name="hostName" value="localhost"/>
<beans:property name="port" value="6379"/>
<beans:property name="password" value=""/>
<beans:property name="database" value="1"/>
</beans:bean>
Second, you need add spring data redis and jedis jar into your project, I use gradle, add items in dependencies like:
......
compile 'org.springframework.data:spring-data-redis:1.6.2.RELEASE'
compile 'redis.clients:jedis:2.8.0'
......
About sencond question:
If your all nodes of one cluster use one reids server or cluster, your access token will share among all nodes. You can check your redis db data, and track access process to verify this. So you don't worry about it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With