I have an application that uses Grails 3.1, Spring Security, and Spring Security REST.
In my User entity, I have the accountExpired field, which, when set to true, prevents the user from accessing the web system.
However, in the mobile application, I obtain an access token and a refresh token that never expire. In other words, the user logs in once and remains logged in until they perform a logout.
Since accountExpired doesn't invalidate the refresh token, I need a way to invalidate the user's access in the mobile application.
Does anyone know how to achieve this?
You might want to look into Grails interceptors, which will intercept all calls, and give you the chance to kick them out...
https://grails.org/blog/2015-03-01.html
If that's not good enough, You might have to write a security servlet filter and inherit from AbstractAuthenticationProcessingFilter. That's a lot more tricky, though very doable if you need it.