Home Oauth2: how should the resource server know if the access token is valid?
Reply: 1

Oauth2: how should the resource server know if the access token is valid?

breakline
1#
breakline Published in 2015-03-14 16:18:24Z

I'm implementing an Ouath2 authentication with Spring for our mobile API. So far it works but I don't know how I should keep the resource server separate. So I have an auth server which gives out tokens and refresh tokens using the password grant-type. Meaning the user would log into the mobile app, which sends the auth server the client id/client secret along with the user's credentials, which results in an access token and a refresh token for the user with the appropriate (ROLE_USER) privileges. Another web based client is for the admins who do the same and get the ROLE_ADMIN privilege etc.

This works well so far.

Now if any client sends a request to the resource server what should happen? Should the resource server check the token's validity? If so in what way? Or should the auth server copy the token into the resource-server's database?

Dave Syer
2#
Dave Syer Reply to 2015-03-15 08:58:33Z

If you @EnableResourceServer you get a filter that checks access tokens. It needs to share a TokenStore with the auth server. That's about it to get something working.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.313895 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO