Add support for revoking tokens

[alvarosanchez]

No description provided.

[jeffbliss]

Hi!

I just wanted to ask what the status of this issue was and if there was anything I could do to help with this? My colleagues and I are highly interested in this functionality and would love to provide any help if possible.

[alvarosanchez]

It's planned for the next milestone. You can track its progress at https://github.com/alvarosanchez/grails-spring-security-rest/milestone/39

[antondelpiero]

I'm not being pushy or anything and I know you all really busy with Micronaut stuffs, but do you have a time frame about this feature? Its almost 2 years since the last reply :)

Thx again

[longwa]

There's already partial support for revoking tokens. You just have to implement the tokenStorageService.removeToken method to add to your own block list and then override the loadUserByToken method to check the tokenValue for the block list before returning the UserDetails.

Although, there is one bit missing from this. The default RestLogoutFilter (which we want to use to blacklist tokens when the user explicitly logs out), doesn't call removeToken for the refreshToken, only the accessToken.

I think it should also call tokenStorageService.removeToken for accessToken.refreshToken as well, otherwise if someone has stolen the token, they can just use the refreshToken to request a new one.

I can submit a PR for this if it's helpful.

[jdaugherty]

#521 will add the necessary endpoints to implement revocation support.