Announcement Announcement Module
Collapse
No announcement yet.
Correct constraints for database schema Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Correct constraints for database schema

    I used the schema here [1] as the starting point for our implementation. This schema is simply tables with no constraints. I am wondering if there is a more official schema out there to follow.

    We just had an error reported by a user where the system was expecting one row when loading by authentication_id but it got two. I have no idea how this happened and can put a unique constraint on authentication_id, but I'm really wondering what other constraints are missing.

    Code:
    02.04.2014 04:20:34 DEBUG-AuthorizationCodeTokenGranter: [Getting access token for: foobar]
    02.04.2014 04:20:34 ERROR-[dispatcher]: [Servlet.service() for servlet [dispatcher] in context with path [/auth-webapp] threw exception [Request processing failed; nested exception is org.springframework.dao.IncorrectResultSizeDataAccessException
    org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2
        at org.springframework.dao.support.DataAccessUtils.requiredSingleResult(DataAccessUtils.java:74)
        at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:737)
        at org.springframework.security.oauth2.provider.token.JdbcTokenStore.getAccessToken(JdbcTokenStore.java:105)
        at org.springframework.security.oauth2.provider.token.DefaultTokenServices.createAccessToken(DefaultTokenServices.java:75)
        at org.springframework.security.oauth2.provider.token.AbstractTokenGranter.getAccessToken(AbstractTokenGranter.java:68)
        at org.springframework.security.oauth2.provider.token.AbstractTokenGranter.grant(AbstractTokenGranter.java:60)
        at org.springframework.security.oauth2.provider.CompositeTokenGranter.grant(CompositeTokenGranter.java:38)
        at org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(TokenEndpoint.java:100
    [1] https://github.com/spring-projects/s...ces/schema.sql

  • #2
    So we've been hit with this bug. It was intermittent for about a year until we realized what was happening. Basically two threads were trying to register for an access token for the same user. The result was that the affected user was locked out until a.) both tokens expired or b.) I manually flushed the tokens for the affected user from oauth_access_token.

    Our workaround was to extend DefaultTokenServices, and override createAccessToken and refreshAccessToken. It looked something like this:

    Code:
    class LockingTokenServices extends DefaultTokenServices {
    
        @Override
        OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
            synchronized (this) {
                super.createAccessToken(authentication);
            }
        }
    
        @Override
        OAuth2AccessToken refreshAccessToken(String refreshTokenValue, AuthorizationRequest request) {
            synchronized (this) {
                super.refreshAccessToken(refreshTokenValue, request);
            }
        }
    }
    This made sure only one creation/refresh of access token was allowed at a time. I'm sure there are better solutions, but this is what we got to work.

    Thanks,
    Joe

    Comment


    • #3
      Here's what I'm using but this is by no means definitive so anyone feel free to add to this. I'm not using oauth_client_token so no comment on that.
      oauth_client_details client_id PK, not null
      client_secret not null
      oauth_access_token token_id PK, not null
      token not null
      authentication_id unique, not null
      client_id not null, FK references oauth_client_details.client_id
      authentication not null
      oauth_refresh_token token_id PK, not null
      token not null
      authentication not null
      Also, you might think that you should be able to add a FK on oauth_refresh_token.token_id which references oauth_access_token.token_id but that doesn't work due to an ordering issue which I cannot recall at the moment.

      Comment

      Working...
      X