Mar 22nd, 2013, 03:30 AM
OAuth2Authentication is cached once access token is created
We are using spring OAuth2 and have encountered a problem that once access token is created in database (we are using JDBCTokenServices) OAuth2Authentication is saved along with the access token and is never updated. I am not sure whether this is correct from OAuth perspective. For example, an administrator can revoke some user's roles but all those clients who obtained access tokens with this user's authentication will still be able to perform actions based on these revoked roles.
Moreover, as we are planning to use refresh tokens in the future this will mean that clients will be able to do this for a very long time as refresh tokens lifetime is typically much more durable than access tokens lifetime. After looking through the RefreshTokenGranter I've found that it doesn't update user's authentication and only issues new access token with a same authentication as before.
I am thinking about extending the OAuth2AuthenticationManager to always set actual authorities but still not sure about this solution propriety. That's why I've decided to post here and ask for your point of view regarding this.
Thanks in advance
Last edited by vkhoroshko; Mar 22nd, 2013 at 10:45 AM.
Mar 22nd, 2013, 11:22 AM
I think you have a valid point. But there is ingeneral no way for the token granter to check the status of the user account before granting a new token - the client sends a refresh token but the user is no authenticated in that channel. The *TokenServices have interfaces that allow you to revoke tokens, so I would expect that you would have to use those in response to some message from system responsible for managing user accounts (which is nothing to do with OAuth).