Announcement Announcement Module
No announcement yet.
OAuth2Authentication is cached once access token is created Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAuth2Authentication is cached once access token is created

    Hello everyone,

    We are using spring OAuth2 and have encountered a problem that once access token is created in database (we are using JDBCTokenServices) OAuth2Authentication is saved along with the access token and is never updated. I am not sure whether this is correct from OAuth perspective. For example, an administrator can revoke some user's roles but all those clients who obtained access tokens with this user's authentication will still be able to perform actions based on these revoked roles.
    Moreover, as we are planning to use refresh tokens in the future this will mean that clients will be able to do this for a very long time as refresh tokens lifetime is typically much more durable than access tokens lifetime. After looking through the RefreshTokenGranter I've found that it doesn't update user's authentication and only issues new access token with a same authentication as before.
    I am thinking about extending the OAuth2AuthenticationManager to always set actual authorities but still not sure about this solution propriety. That's why I've decided to post here and ask for your point of view regarding this.

    Thanks in advance
    Last edited by vkhoroshko; Mar 22nd, 2013, 10:45 AM.

  • #2
    I think you have a valid point. But there is ingeneral no way for the token granter to check the status of the user account before granting a new token - the client sends a refresh token but the user is no authenticated in that channel. The *TokenServices have interfaces that allow you to revoke tokens, so I would expect that you would have to use those in response to some message from system responsible for managing user accounts (which is nothing to do with OAuth).