jricher
commented
7 years ago The existing serializer is intended only to be used for responses from the token endpoint, not for general storage of the token itself. We do have a serializer in org.mitre.oauth2.view.TokenAPIView that's used in the API and in the org.mitre.openid.connect.service.impl.MITREidDataService_1_* classes that are used in the data import/export API.
If you would like to provide a Jackson serlializer/deserializer in a pull request we could consider it for inclusion, though most of the rest of the project doesn't use Jackson directly.
OAuth2AccessTokenEntity has JSON Serializers and Deserializers attached directly to the class. Performing an ObjectMapper.writeValueAsString() generates a JSON String that does not have all of the data. Taking that string and trying to create an OAuth2AccessTokenEntity object with the ObjectMapper fails, returning a class cast exception:
OAuth2AccessTokenEntity token = mapper.readValue(accessTokenString, OAuth2AccessTokenEntity.class);
Error: java.lang.ClassCastException: org.springframework.security.oauth2.common.DefaultOAuth2AccessToken cannot be cast to org.mitre.oauth2.model.OAuth2AccessTokenEntity
The Serializer/Deserializer are looking for classes that implement OAuth2AccessToken interface. Both DefaultOAuth2AccessToken and OAuth2AccessTokenEntity implement this interface, but the structures are different. Please replace the attached serializers/deserializers with ones that can handle the OAuth2AccessTokenEntity or provide a mechanism for converting OAuth2AccessTokenEntity to/from JSON. Same request applies to OAuth2RefreshTokenEntity and any classes that are needed to serialize.
The problem that I'm trying to resolve is that I would like to store the Access and Refresh tokens in a Redis cache, replacing JpaOAuth2TokenRepository with my own implementation of OAuth2TokenRepository.