I tried to implement an example with the usage of jwt token in Spring Boot. It covers register, login, refresh token and lastly logout process. I have a problem in logout process.

我试图通过在Spring Boot中使用JWT令牌来实现一个示例。它包括注册、登录、刷新令牌和最后的注销过程。我在注销过程中遇到问题。

I tried to delete jwt token after logout but I think the process of invalidating the jwt token is the best way to handle with this process.

我试图在注销后删除JWT令牌，但我认为使JWT令牌无效的过程是处理此过程的最佳方式。

Here is the logout method of auth service shown below

下面是auth服务的注销方法如下所示

Here is the logout request shown below

以下是如下所示的注销请求

@Data
@AllArgsConstructor
@NoArgsConstructor
public class LogoutRequest {

    private String token;
}

Here is the logout method of controller

以下是控制器的注销方法

@PostMapping("/logout")
public ResponseEntity<String> logout(@RequestBody LogoutRequest request) {

    return ResponseEntity.ok(authService.logout(request));
}

Here is the getIdFromToken shown below

下面是如下所示的getIdFromToken

public Long getIdFromToken(String token){
    return Long.parseLong(extractClaims(token).getId());
}

Here is deleteByUserId shown below

下面是如下所示的DeleteByUserID

@Override
public int deleteByUserId(Long userId) {

    User user = userService.findById(userId).orElseThrow(() -> new RuntimeException("User not found"));
    return refreshTokenRepository.deleteByUser(user);
}

How can I do that?

我怎么能做到这一点？

Here is the repo : Link

以下是回购：链接

So the answer here is the following:

因此，这里的答案如下：

What you have here is you have built a login, that at successful login you create your JWT in your service and hand out a token directly to the calling client. This is in oauth2 called an implicit flowand was deprecated from the oauth2 rfc because it was found to be insecure.

这里你已经构建了一个登录，在成功登录时，你在你的服务中创建了你的JWT，并直接向调用客户端分发了一个令牌。这在oauth2中被称为隐式流，并从oauth2 rfc中被弃用，因为它被发现是不安全的。

You also have built some sort of custom solution with some sort of thing you call a refresh token, which basically stores an id in some sort of storage.

您还使用所谓的刷新令牌构建了某种定制解决方案，该令牌基本上将ID存储在某种存储中。

So in principal, what you have actually built is some sort of Session authentication containing state, but completely custom, using JWTs.

因此，从原则上讲，您实际构建的是某种包含状态的会话身份验证，但完全是使用JWT定制的。

You have tried to reinvent something that already exists in Spring Security which is called FormLogin which basically does all the things you want the only difference is that FormLogin uses cookies (which has additional security features like httpOnly, Secured, and same-site) but with JWTs.

您试图重新发明Spring Security中已有的东西，称为FormLogin，它基本上可以做您想做的所有事情，唯一的区别是FormLogin使用Cookie(它具有额外的安全特性，如HTTPOnly、Secure和Same-Site)，但带有JWTs。

So you are ending up with the same thing as FormLogin just less secure.

因此，您最终得到的是与FormLogin相同的东西，只是安全性较低。

"Logging out" a JWT isn't really possible. You can only invalidate a JWT by letting it time out. Once a JWT is created with and expiration date is set and then signed, its signed. The contract has been written.

“注销”JWT是不可能的。您只能通过让JWT超时来使其无效。一旦使用创建了JWT，并设置了到期日期，然后对其进行签名，它就会被签名。合同已经写好了。

The problem with your code is that when someone supplies a JWT to your application is that your filter that checks the JWTs just checks if the signage and expiration is still valid.

代码的问题是，当有人向您的应用程序提供JWT时，检查JWT的过滤器只检查标志和过期是否仍然有效。

// Checking the validity and expiration
Jwts.parserBuilder()
    .setSigningKey(getSignInKey())
    .build()
    .parseClaimsJws(authToken);

As long is the signage and time stamp is still valid your JWT will pass through here:

只要标志和时间戳仍然有效，您的JWT就会从这里通过：

if (jwt != null && jwtUtils.validateJwtToken(jwt)) {
    // some other code
}

Which means you never check if the token is actually logged out in your custom refreshToken database, so the filter never understands that anything is logged out.

这意味着您永远不会检查令牌是否已在您的自定义刷新标记数据库中注销，因此筛选器永远不会知道有任何东西已注销。

So you need to do a check here, but remember, you will then in each request done to your service, you have to possibly do 2 database calls. One to check if the token isnt logged out, and a second one to check if the user exists and log them in. Thats 2 database calls for every request, unless you store things in memory, or offload using caches etc.

因此，您需要在这里进行检查，但请记住，在对您的服务完成的每个请求中，您可能需要进行2次数据库调用。一个用于检查令牌是否未注销，另一个用于检查用户是否存在并让他们登录。对于每个请求，这是2个数据库调用，除非您将内容存储在内存中，或者使用缓存等进行卸载。

The bottom line is that, you are basically trying to build FormLogin using JWTs, but less secure and possibly with less good performance and i strongly discourage you from doing so.

归根结底，您基本上是在尝试使用JWTs构建FormLogin，但安全性较差，性能可能也较差，我强烈建议您不要这么做。

You just can't invalidate a JWT.

您只是不能使JWT无效。

What you can invalidate, are the sessions on the OAuth2 authorization server (which delivered the token) and OAuth2 client (to which the token was delivered).

您可以使之无效的是OAuth2授权服务器(传递令牌)和OAuth2客户端(令牌被传递到的)上的会话。

Spring Security client implementation can be configured to do both: perform logout from the authorization server with a post-logout handler on the client.

Spring Security客户端实现可以配置为同时执行这两种操作：在客户机上使用注销后处理程序从授权服务器执行注销。

The thing is that apparently, the application configuration and flows used have nothing to do with OAuth2, which ends to something pretty unsafe and inefficient as pointed in the other answer. You should just trash all that and opt for:

问题是，显然，使用的应用程序配置和流与OAuth2无关，正如另一个答案中指出的那样，OAuth2以一些非常不安全和低效的东西结束。你应该把所有这些都扔掉，选择：

• formLogin (with sessions and CSRF protection) if you don't need externalized authentication (SSO with the rest of your information system) or secured inter micro-services calls


• proper OAuth2 otherwise (with confidential client on your server)