Announcement Announcement Module
Collapse
No announcement yet.
After update to 1.0.4.RELEASE authentication is cached in token? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • After update to 1.0.4.RELEASE authentication is cached in token?

    Hi,

    a somewhat strange problem arose after we made the jump from 1.0.0RC2 to 1.0.4.RELEASE yesterday. We use the JdbcTokenStore and our access tokens have the default lifetime of 12 hours. Some workflows in our system lead to the user gaining additional privileges (roles, authorities you name it). Before the change it would suffice for the user to login* again to generate a new authentication with the updated authorities. After the update the user gets his same old authentication that was initially cached by the tokenstore.

    I know this behavior is the expected outcome and we are responsible for invalidating invalid tokens. It's no big deal. We just override the deserialized authentication in a custom version of the JdbcTokenStore after it comes from the database. But I'm still curious why our workflow worked in 1.0.0RC2 when it shouldn't have. Could someone enlighten me?

    (* = By login I refer to resource owner password grant via a frontend web application that uses the OAuth2Resttemplate internally)

  • #2
    RC2 is a long way in the past, and it's possible the DefaultTokenService (or one of the strategies like DefaultAuthorizationRequestManager) changed. Maybe the old access token is being re-used more reliably, which would be the normal expected default behaviour if a token already was granted for the client and scopes requested.

    I note also that 1.0.5.RELEASE is already in the Spring repos (there was a bug in the additional info serialization in 1.0.4, probably won't affect you if you are using password grants).

    Comment


    • #3
      Originally posted by Dave Syer View Post
      RC2 is a long way in the past
      I know . As you see it took me quite some time to convince my co-workers that we better update the library. They were already relying on the exact behavior of the library (especially the OAuth2RestTemplate) and feared that some behavioral changes may blow up the whole application. I scoured the changelog though and from what I read there have only been bugfixes since 1.0.0RC2. Everything worked at first but when the "principles are not updated"-bug (not a bug) appeared the lost faith in the update and were already suggesting to go back to the "version where it worked"...

      Originally posted by Dave Syer View Post
      Maybe the old access token is being re-used more reliably, which would be the normal expected default behaviour if a token already was granted for the client and scopes requested.
      Yeah thats probably it. Thank you for your insight. Will see that we update to 1.0.5 asap even if it doesn't affect us at this time.
      Last edited by a.e; May 2nd, 2013, 04:49 AM.

      Comment

      Working...
      X