Create JWT Blacklist in Spring Cloud Gateway

Question

I integrated spring cloud gateway with oauth2 login. After logout in scg, the user still can access resource server because the user has valid token. I need to invalidate this valid token in some way. there is blacklist solution as my researches (https://stackoverflow.com/a/53994938/5079581) and i will implement this.

by creating filter, i take jwt in step of "/logout" and put it to blacklist.

public class ExampleWebFilter implements WebFilter {

    @Override
    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        ServerHttpRequest request = serverWebExchange.getRequest();
        String uri = request.getPath().pathWithinApplication().value();
        HttpHeaders headers = request.getHeaders();
        if(uri.equals("/logout")) {
            List<String> auth = headers.get("Authorization");
        }

        return webFilterChain.filter(serverWebExchange);
    }

}

auth list always returns null. i think that my filter works before token relay filter. how can i access the jwt at gateway? is there any code sample or demo for this? Thanks.

Answer 1

In spring cloud gateway + security oauth2 integration, JWTs are stored in gateway as session. At first, i thought there was an error about saving JWT as session, as it becomes stateful. But, when you logged out, this session is removed and there is no JWT anymore, so there is no need to create blacklist. this way of working is a clever solution.

So, what was my problem? I had 2 seperate servers (gateway, oauth2 server). two sessions are created as a result of the operation. SESSION for gateway, JSESSION for oauth2 server. when you logged out at gateway, only SESSION is removed, but JSESSION is still alive. because of that, the gateway goes oauth server(and still signed in oauth2 server) and get new JWT.

To log out completely in system, you also need to logged out from ouath2 server at the same time.