spring-security-oauth2

I am using Spring Security OAuth2 and JWT tokens. My question is: How can I revoke a JWT token? As mentioned here http://projects.spring.io/spring-security-oauth/docs/oauth2.html , revocation is done by refresh token. But it does not seem to work. João Angelo In general the easiest answer would be to say that you cannot revoke a JWT token, but that's simply not true . The honest answer is that the cost of supporting JWT revocation is sufficiently big for not being worth most of the times or plainly reconsider an alternative to JWT. Having said that, in some scenarios you might need both JWT

So I have the following Authorization Server condensed from this example from Dave Syer @SpringBootApplication public class AuthserverApplication { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } /* added later @Configuration @Order(Ordered.HIGHEST_PRECEDENCE) protected static class MyWebSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http //.csrf().disable() .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll(); } }*/ @Configuration

I am migrating from Spring Boot 1.4.9 to Spring Boot 2.0 and also to Spring Security 5 and I am trying to do authenticate via OAuth 2. But I am getting this error: java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null From the documentation of Spring Security 5 , I get to know that storage format for password is changed. In my current code I have created my password encoder bean as: @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } However it was giving me below error: Encoded password does not look like BCrypt So I

I have seen in some oauth2 implementations additional information on the response returned by the authorization server when it issues access tokens. I'm wondering if there is a way to accomplish this using spring-security-oauth2. I would love to be able to include some user authorities on the access token response so that my consuming applications don't need to manage the user authorities but can still set the user on their own security contexts and apply any of their own spring-security checks. How would I get that information on the access token response? How would I intercept that