Oct 10th, 2012, 09:52 AM
token expiration: 'covered' by another exception
In my resource server, When DefaultTokenService.loadAuthentication() check the access-token and notices that is has been expired, it throws InvalidTokenException with message "Access token expired".
But then, when it is caught by the OAuthRestTemplate, it throws a brand-new OAuth2AccessDeniedException with a message "Invalid token for client...". No trace for the token-expiration ... the user will have no knowledge why the token has no access.
Is it a bug?
Oct 10th, 2012, 11:40 AM
Maybe. My argument against is just that the OAuth2RestTemplate should try to re-authenticate if it gets an OAuth2AccessDeniedException so it really shouldn't matter what the underlying problem was. It only retries once. So if you can think of a scenario where the second failure should reveal the detail of the expiry then maybe we should talk about it in JIRA.