How-to: Configure and use opaque tokens

[vishu221b]

Publish a guide on How-to: Configure and use opaque tokens

Description
Currently there are resources around how to configure and set up JWT token flow but the resources around how to configure and use opaque tokens are missing. This would be useful for those cases where the need is not to expose any data (even to the resource owner) available in JWT claims which can be decoded and accessed by anyone having access to the JWT token.

recommended for inclusion in: gh-499

[sjohnr]

@vishu221b, thanks for suggesting this!

I thought we already had an "opaque tokens" how-to issue, but I can't seem to find one. At the moment, I'm not sure this topic rises to the level of needing a how-to guide because it is covered in the reference, but perhaps others in the community can chime in (and 👍 the issue) to let us know.

For the time being, see this comment for some resources:

Regardless, I think the main question being asked here is "How do I use opaque tokens?" which is covered in the reference manual (simply set TokenSettings#accessTokenFormat(OAuth2TokenFormat.SELF_CONTAINED) on the RegisteredClient.tokenSettings). You can use the JdbcOAuth2AuthorizationService (or provide your own) to store tokens in the database.

Also, take a look at Configuring and Extending Spring Authorization Server (recent talk from SpringOne Essentials in January, 2023) where we configure and demo use of opaque tokens.

[DevDengChao]

I'd like to know how to perform MockMVC tests with opaque tokens when the Authorization Server and the Resource Server are in the same app.

I found https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/oauth2/resource-server/opaque this example, but it uses a standalone authorization server when testing, and dose not told us how to modify it to bundle an authorization server into it.

I tried to modify the jwt token based client to a opaque token client, and set the introspectionUri to http://localhost:8080/oauth2/introspect, but failed, because the mock server's port is random generated, and I don't want to hard code it to 8080 as the testing progress maybe parallel.

[sjohnr]

@DevDengChao, thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. Feel free to update this issue with a link to the re-posted question (so that other people can find it).

If you would like to submit a request for a How-to guide, please open a new issue linked to gh-499.