check-token-endpoint-url attribute does not affect

[tiwatsuka]

When I used xml for configuring authorization server, "check-token-endpoint-url" attribute in the "authorization-server" tag did not affect.
I found that the setting is enabled only when "token-endpoint-url" or "authorization-endpoint-url" attribute are specified.
I think this limitation is not reasonable.

Please see below.
https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java#L314

[jgrandja]

Hi @tiwatsuka The authorization-endpoint or token-endpoint both are able to return access tokens depending on the grant type. So it makes sense that the check-token-endpoint is enabled if at least one of these endpoints are enabled.

Can you please explain why you think this is unreasonable?

It would be helpful if you can supply the full xml configuration you are using so I can better understand.

[tiwatsuka]

Hi @jgrandja.

The check-token-endpoint is used always with authorization-endpoint or token-endpoint as you say.
However, the URLs of the endpoints should be able to set independently.

Currently, the setting below doesn't change the URL of the check-token-endpoint.

<oauth2:authorization-server client-details-service-ref="clientDetailsService"
    token-services-ref="tokenServices"
    check-token-enabled="true"
    check-token-endpoint-url="/oauth/check">

To enable it, I have to add setting for another endpoint.

<oauth2:authorization-server client-details-service-ref="clientDetailsService"
    token-services-ref="tokenServices"
    check-token-enabled="true"
    check-token-endpoint-url="/oauth/check"
    token-endpoint-url="/oauth/token">

Is there any reason for that?

[jgrandja]

Thanks @tiwatsuka for clarifying. Yes you are correct, we should be able to change the check-token-endpoint-url independently from authorize-endpoint-url or token-endpoint-url.

I'll apply that change.

[jgrandja]

Thanks for reporting this @tiwatsuka.
The change has been applied to master.