Announcement Announcement Module
Collapse
No announcement yet.
Authorization flow fails when both access token and refresh token is expired Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authorization flow fails when both access token and refresh token is expired

    I'm testing against sparklr2, tonr2 (build - 1.0.0M6)

    Config modication to sample app
    sparklr2 spring-servlet.xml:
    - added "refresh_token" grant type to client
    <oauth:client client-id="tonr" resource-ids="sparklr" authorized-grant-types="authorization_code,implicit,refresh_token"
    authorities="ROLE_CLIENT" scope="read,write" secret="secret" />

    - changed refresh token validity ==> 60 sec, access token validity 30 ==>
    <bean id="tokenServices" class="org.springframework.security.oauth2.provide r.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore" />
    <property name="supportRefreshToken" value="true" />
    <property name="refreshTokenValiditySeconds" value="60" />
    <property name="accessTokenValiditySeconds" value="30" />

    </bean>

    test case:
    - wait about more than 1 min after first flow of authorization and show pics
    - go to /tonr2/sparklr/photos

    if first redirect to approval page and when user approves it shows approval page again and again.

    logs say:

    sparklr2 21:37:43.737 [DEBUG] DefaultWebResponseExceptionTranslator - OAuth error. <error="invalid_grant", error_description="Invalid refresh token: bc070a31-9f4b-4a0d-9a35-6e40a0fd73f2">error="invalid_grant", error_description="Invalid refresh token: bc070a31-9f4b-4a0d-9a35-6e40a0fd73f2"
    at org.springframework.security.oauth2.provider.token .DefaultTokenServices.refreshAccessToken(DefaultTo kenServices.java:123)
    at org.springframework.security.oauth2.provider.refre sh.RefreshTokenGranter.grant(RefreshTokenGranter.j ava:52)
    at org.springframework.security.oauth2.provider.Compo siteTokenGranter.grant(CompositeTokenGranter.java: 40)
    at org.springframework.security.oauth2.provider.endpo int.TokenEndpoint.getAccessToken(TokenEndpoint.jav a:74)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)



    I guess when OAuth2RestTemplate gets 400 from sparklr2/oauth/token first time
    (tonr2 21:37:28.914 [WARN] RestTemplate - POST request for "http://localhost:8380/sparklr2/oauth/token" resulted in 400 (Bad Request); invoking error handler)
    it should remove context (access and refresh tokens).

    bud it seems like sending the expired refresh token constantly!.


    any ideas?
    Last edited by enkhchuluun; Jun 7th, 2012, 08:03 AM.

  • #2
    Yes, that looks like a bug. Please raise a JIRA ticket. If you want to fix it look at AuthorizationCodeAccessTokenProvider.refreshAccess Token().

    Comment


    • #3
      Ok Thanks~

      i've submitted jira issue: https://jira.springsource.org/browse/SECOAUTH-279

      Comment

      Working...
      X