Check if a token is still valid

**serff** · Dec 20th, 2012, 11:41 AM

I'm new to all this OAuth stuff, but I have Spring OAuth 2.0 working in an application now and I'm starting to have more questions that aren't answered in the documentation. I have a mobile app that is requesting an accessToken using Resource Owner Password Credentials. So when the app launches, we ask the user to login with their username/password and then ask for the token. I get the accessToken and then I save the token for use with all further requests. That is working. What I want to do, is on launch, check if we already have an access token and if so, skip the username/password bit (just log them in). In order to do this, I need to be able to ask the server if the token is valid. How do I do that? I assume there is an endpoint for that, but I don't know what it is...

A separate but related question: I can't find any documentation on all the exposed OAuth resources. In the examples, they always have an http block for all the "protected OAuth resources" but none of them seem to work for me. Things like /oauth/users, /oauth/clients. I would also like to be able to ask for a users tokens to display them on an account page. I would assume those endpoints would help me in both of these problems.

Any help is appreciated!
Thanks
Andrew

**Dave Syer** · Dec 21st, 2012, 02:56 AM

There is no standard endpopint to check a token, but it's quite easy to provide one if you want to (e.g. https://github.com/cloudfoundry/uaa/...nEndpoint.java). It's usually not the role of a client to do that though - tokens are supposed to be opaque to clients, and the clients job normally is to use the token and respond to 401 and 403 responses appropriately.

The token admin endpoints worked for me last time I tried them. They are mainly there for testing purposes (not part of the spec and only included in samples), but if you wanted to expand them into a UI that would be a good starting point. What is it that isn't working exactly?

**serff** · Dec 21st, 2012, 09:46 AM

Originally Posted by Dave Syer

There is no standard endpopint to check a token, but it's quite easy to provide one if you want to (e.g. https://github.com/cloudfoundry/uaa/...nEndpoint.java). It's usually not the role of a client to do that though - tokens are supposed to be opaque to clients, and the clients job normally is to use the token and respond to 401 and 403 responses appropriately.

That is what I was staring to think yesterday. Just handle the errors as the token is invalid so get a new one/refresh. I'll check out the class, thanks!

Originally Posted by Dave Syer

The token admin endpoints worked for me last time I tried them. They are mainly there for testing purposes (not part of the spec and only included in samples), but if you wanted to expand them into a UI that would be a good starting point. What is it that isn't working exactly?

Mainly, I just don't know how I'm supposed to use them. What are they expecting? /oauth/users/my_user_name? what should I get back? Any time I try something like /oauth/users/mruser I just get a 404. So it seems like they aren't there. I only have password authentication within my authorization-server element. I noticed that /oauth/authorize goes away when you remove oauth:authorization-code, so was thinking maybe I just don't have those endpoints enabled in the config somewhere.

Thanks again

**Dave Syer** · Dec 22nd, 2012, 04:37 AM

Originally Posted by serff

What are they expecting? /oauth/users/my_user_name?

Look in the sparklr sample. The AdminController has a mapping @RequestMapping("/oauth/users/{user}/tokens"). It's not enabled by the XML DSL - like I said before this is not a core feature, just a demo.

Thread: Check if a token is still valid

Thread Tools

Display

Check if a token is still valid

Tags for this Thread

Posting Permissions