I don't think a never expiring bean is possible in the current implementation (nor does the current spec allow this, I *think*). However, you could define your own token details service bean, set its accessTokenValiditySeconds property to a very large value (this should set the expiry time accordingly) and pass this bean to your resource-server definition as the token-services-ref.
Originally Posted by Sharishetty
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RandomValueTokenServices">
<bean class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
<property name="accessTokenValiditySeconds" value="30000" />
<oauth:resource-server id="resourceServerFilter" resource-id="yourCoolResource" token-services-ref="tokenServices" />
In the default random value token service implementation, if the token expires and an attempt is made to use it, the token would be automatically removed from the token store.
2. If 1 is not possible is the only way is to set the expiration time on the access token for a large interval, then is there a way to remove the token if it is not used for some time (say 2 hours)
On one level I do not understand this question. OAuth is session agnostic. The only things that matter are the validity and life span of the token not the user's (the resource owner's) session.
3. We have implemented out own service to logout which removes the access token. Is that the right way to do it or does spring security provide any other way of doing it?
If you do want to do it, spring-security-oauth, AFAIK, does not provide anything to do that. You could define a success-handler-ref for your logout handler in the spring-security configuration and take care of this.