Expected Behavior - update the expiration time of the access token every time you log in again

  • use the exist access token and expire the time of accesstoken new every time you log in again Current Behavior
  • use the exist access token and expire the time of exist access token every time you log in again
  • If you use the old expiration time every time you log in, you may get an access token that is about to expire when you log in Context Or I hope someone can explain what factors consider the use of the old expiration time

When I use automated testing, the expiration time of the obtained access token is very short, and then an invalid token error occurs in the middle

Comment From: marcusdacoregio

Hi @javasingle.

Can you explain in more detail what you are trying to achieve? I don't know if I understand your use case correctly. Which module are you using? If you can provide a minimal reproducible sample it would be even better.

Comment From: javasingle

Hi. @marcusdacoregio ,Thank you very much for your reply. I am using the spring oauth2 authorize code mode. The problem I encounter is that when I log in successfully and get the access token, if my current user has logged in, I get the existing access token corresponding to the user, and the expiration time of the access token is the expiration time of the existing access token, In this case. There is a certain probability that the access token obtained is about to expire. In my opinion, should I refresh the expiration time of the token when the login succeeds in obtaining the token? Specific code can refer to org.springframework.security.oauth2.provider.token.DefaultTokenServices.#createAccessToken()

@Transactional
    public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {

        OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
        OAuth2RefreshToken refreshToken = null;
        if (existingAccessToken != null) {
            if (existingAccessToken.isExpired()) {
                if (existingAccessToken.getRefreshToken() != null) {
                    refreshToken = existingAccessToken.getRefreshToken();
                    // The token store could remove the refresh token when the
                    // access token is removed, but we want to
                    // be sure...
                    tokenStore.removeRefreshToken(refreshToken);
                }
                tokenStore.removeAccessToken(existingAccessToken);
            }
            else {
                // Re-store the access token in case the authentication has changed
                tokenStore.storeAccessToken(existingAccessToken, authentication);
                return existingAccessToken;
            }
        }

and org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore.#storeAccessToken()

conn.sAdd(clientId, serializedAccessToken);
            if (token.getExpiration() != null) {
                int seconds = token.getExpiresIn();
                conn.expire(accessKey, seconds);
                conn.expire(authKey, seconds);
                conn.expire(authToAccessKey, seconds);
                conn.expire(clientId, seconds);
                conn.expire(approvalKey, seconds);
            }

Comment From: sjohnr

@javasingle, thanks for reaching out. I believe this question pertains to the spring-security-oauth project, which is end-of-life. See the migration guide. I'm going to close this issue, but feel free to comment and let me know if I misunderstood anything from your request.