What is the correct way to cancel authorization after the expiration of the token lifetime?

S

ScRsa2016-10-21 07:49:51

Java

ScRsa, 2016-10-21 07:49:51

There is an authorization service on Spring Security

public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
          .withClient("...")
          .secret("...")
          .autoApprove(true)
          .authorizedGrantTypes("password", "authorization_code", "refresh_token")
          .scopes("read","write")
          .accessTokenValiditySeconds(5)
          .refreshTokenValiditySeconds(60);
    }

There is a client

public void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true).clearAuthentication(true).permitAll()
                .and().antMatcher("/**").authorizeRequests()
                .antMatchers("/login", "/logout").permitAll()
                .anyRequest().authenticated();
    }

The client logs in and renews the authorization using the refresh_token without problems, but if the refresh_token lifetime has expired, the client continues to assume that the user is authorized. Although the authorization service returned the error "Handling error: InvalidTokenException, Invalid refresh token (expired): eyJhbG...."
How to properly configure authorization so that after the token lifetime expires, the user is redirected to the authorization page?