-
Notifications
You must be signed in to change notification settings - Fork 4.1k
[SECOAUTH-435] Access Token is always reset when refresh token is used. #142
Comments
We are seeing the same issue here and were looking at customizing default token services to reuse the token, but before we do so, there is one line that we would like to understand a bit more.
When I look at the implementation of creating the access token in the JdbcTokenStore, it is just blowing away the old token and saving a new one, no matter what. There is no dirty checking. What about the authentication could have changed? Can you see any harm in reusing the access token until it is expired? Thank you for your help |
A little more info for you, we are using the DefaultAuthenticationKeyGenerator, which means that if scopes/username/client change, we are never going to find the old access token, so the chances of the authorization changing seems unlikely. |
Hi, Example: If the refresh of the access token is faster, the first resource request would end in an error "Invalid Access Token", because the "old" access token was deleted. This arises often on mobile systems and on desktop systems (with fast network) with high request payloads on the resource service requests too. In other threads I read about stopping all other requests until the refresh process is over.
The original reason for the current implemented approach as explained by the source code comments is the prevention of many refresh requests. So that the client could not create a hugh amount of access tokens. |
Hi, |
Presently, a new access token is granted on each call using grant_type=refresh_token. Unfortunately this makes support of multi-threaded clients difficult. I would like to be able to optionally return the same access token until that token expires. At that point in time, a new token would be generated and returned.
With this approach, a client could potentially spawn multiple threads as might be expected between systems that exchange large amounts of information. Without the approach, the client must implement its own token sharing system which is onerous and redundant. A configurable option allows either the traditional approach or the new, shared, behavior. As best as I can tell, the RFC does not stipulate the intended behavior one way or the other.
This change requires a fairly minor modification to DefaultTokenServices.refreshAccessToken (and setters):
If agreement on the change is established, I'm happy to contribute the new code. Unfortunately this is the first time I've submitted to GitHub Open Source, however, so it may take me a bit to establish the process.
Comments:
david_syer on Mon, 30 Dec 2013 10:52:33 +0000
alanh on Mon, 30 Dec 2013 20:48:38 +0000
david_syer on Tue, 31 Dec 2013 08:15:19 +0000
alanh on Mon, 6 Jan 2014 16:49:55 +0000
The text was updated successfully, but these errors were encountered: