Spring boot security - allowing user requests with expired JWT token

Question

I have some users who are accessing some APIs with valid JWT token but because their tasks on their side take much more time than the token expire time, when they come to the API again, the JWT token expires already. They shouldn't refresh their token, they have to come the same token and reach some APIs even with the expired tokens.

I am using the spring.security.oauth2.resourceserver to authenticate with our authorization server.

So, what I am trying to achieve is that if the token origin is correct and with that good format I need to accept the request even with the expired token.

Yes, I know it seems not a good approach but if this is possible please educate me.

I already read about ClientHttpRequestInterceptor from here and dived to the source code of resource server but couldn't find the appropriate way.

Answer 1

I totally advise you to not do that because if some malicious user steals a JWT from someone he will be able to request protected resources forever because the token won't expire. What you should do in this scenario is refreshing the token, please head over to the docs for refreshing the access token.

But for knowledge purposes, it is possible to provide a custom JwtDecoder that can validate a JWT the way you want. You should just expose a @Bean of the type JwtDecoder with your specific configuration, like so:

@Bean
public JwtDecoder jwtDecoder() {
    OAuth2TokenValidator<Jwt> myCustomJwtValidator = new MyImplementationOfOAuth2TokenValidator();
    NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withPublicKey(myPublicKey).build();
    jwtDecoder.setJwtValidator(myCustomJwtValidator);
    return jwtDecoder;
}

You can find more details on the documentation.