Feb 10th, 2012, 06:33 PM
JdbcAuthorizationCodeServices Auth Code removal
I am using the SpringSource-spring-security-oauth-cb957a1 build to test out replacing the InMemorytoken store, client details and authorization code services in the sparklr2 and tonr2 samples . I was under the impression that the authorization tokens were to be relatively long lived and the access tokens TTL would be brief. I maybe wrong but once the tonr user is authenticated, the authorization code (OAUTH_CODE table ) is inserted and after it is used for the creation of the access token, it is removed. Should the OAUTH_CODE records persist for a longer period of time? Even with persisting the tokens, the authorization does not span the session. Sorry if I am misunderstanding the usage of the records in the OAUTH_CODE table and thanks for the help.
Feb 11th, 2012, 06:44 AM
Your terminology is a little muddled, so maybe you should sync with the spec. An access token has a (configurable) expiry time and is used to access resources on behalf of a user. An authorization code is one way for a client to obtain an access token and it only exists typically for a short period, while the user is approving the token grant. I don't really see much need for the JdbcAuthorizationCodeServices in practice (it's only used by the Auth server, so unless your Auth server is *so* busy it has to scale horizontally, or be really careful with heap memory, the in-memory version should be fine).