Refreshing expired JWT token automatically in Spring

Question

My Question is suppose I've two API's (Two different microservices) and one batch service e.g. API_A :- Which is protected using spring security JWT. API_B :- Which will generate the JWT token to access API_A. SERVICE_C :- Which want to consume/produce the data using API_A.

so our workflow is like SERVICE_C will be invoked by the client and then it'll call API_B to fetch the JWT & Refresh token to access API_A.

So here I need to keep track of expiration time of JWT token and once it expired I need to call API_B again using refresh token to get the new JWT Token and for all this thing I am using Rest_template & Feign client.

My question is do n't we have any kind of code or functionality available in spring which keeps track of that expiration time by himself and refresh it automatically when it needed (using Oauth2 or anything)., because in Quarkus Framework I've seen this functionality is available using OIDC over there?

Answer 1

use token stores, such as an in-memory store or a JDBC-backed store. The token store can handle token persistence and retrieval.

Answer 2

If what you call API_x are REST APIs authorized with access tokens, then these are resource servers. The Boot dependency for OAuth2 resource servers is spring-boot-starter-oauth2-resource-server.

Tokens generation is authorization server role, not resource sever one. This OAuth2 authorization server can be standalone (like Keycloak), a cloud offer (like Auth0, Cognito, Okta and many more) or a do it yourself, but using a framework like spring-authorization-server . Implementing yourself authorization server features like tokens generation is not recommended unless you have a deep understanding of OAuth2 and OpenID, which I doubt.

Tokens acquisition and refreshing is OAuth2 client role and of course Spring Security covers that. Boot dependency for OAuth2 clients is spring-boot-starter-oauth2-client. It comes with auto configuration for providers declaration, clients registration and clients authorization.

How Spring OAuth2 client features integrate with the REST client you choose for machine-to-machine communication (WebClient, RestClient or @FeignClient) depends on this client, so refer to its manual.

Answer 3

Yes, in Spring Security, you can indeed achieve automatic token refresh functionality using OAuth2 and specifically OAuth2's Refresh Token Grant. Spring Security provides support for OAuth2 and includes features for handling access tokens and refresh tokens.

1. Configure OAuth2 Client: Set up OAuth2 client configuration in your Spring Boot application to authenticate with API_B and obtain the access token and refresh token.

2. Use Refresh Token Grant: Configure your OAuth2 client to use the Refresh Token Grant type. This allows your application to use a refresh token to obtain a new access token when the current access token expires.

3. Handle Token Expiry: Implement logic in your application to detect when the access token is about to expire. You can use the expiration time provided in the JWT token to determine when to refresh the token.

4. Automatically Refresh Token: When the access token is about to expire, automatically trigger a token refresh by using the refresh token obtained during the initial authentication.

5. Update Token in Authorization Header: After obtaining the new access token, update the authorization header in your HTTP requests to API_A with the new token to ensure continued access.

Spring Security provides support for managing OAuth2 tokens and handling token refresh securely and efficiently. You can leverage Spring Security's OAuth2 features along with Spring Boot's auto-configuration capabilities to simplify the implementation of token refresh functionality in your application.

By following above, you can achieve automatic token refresh in your Spring Boot application, similar to the functionality available in the Quarkus framework using OIDC.