OAuth2RestTemplate does not account for network latency / clock skew

[prowe]

When making a request via OAuth2RestTemplate (In our case we are using client credentials), The getAccessToken method checks if the token is expired and if so, requests a new token:

OAuth2AccessToken accessToken = context.getAccessToken();

if (accessToken == null || accessToken.isExpired()) {
try {
	accessToken = acquireAccessToken(context);
}

If the token is 1ms from expiration then this code will still attempt to use the token. The server will reject this token when it receives it (This is also a problem if the server/client have small difference in clocks).

It seems like the best-practice would be to refresh the token ahead of the actual expiration by some small grace period (i.e. 5 seconds).

[prowe]

I think this would also fix #1287

[michael-pratt]

+1 for this. I also have found an edge case in our system where the token passes the isExpired check, but the receiving service rejects it for being expired. It would be great if either the token or OAuth2RestTemplate could do the expiry check with some configurable padding.

[jgrandja]

Closing as duplicate of #1287