search

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
http://github.com/spring-projects/spring-security-oauth
Apache License 2.0
4.69k stars 4.04k forks source link

Why the ACCESS_TO_REFRESH have a same expire time with refresh token not the access token #1954

Open nl594 opened 2 years ago

nl594 commented 2 years ago

The ACCESS_TO_REFRESH have a same expire time with refresh token not the access token, the access token xxx may be already expired in redis,but the access_to_refesh:xxx is still in redis。 What is access_to_refesh:xxx used for ? I think access_to_refesh:xxx should have the same expire time with access token xxx, if access token xxx is expired,access_to_refesh:xxx need expired too,Otherwise, it will occupy redis space.

Does anyone can explain this ?

https://github.com/spring-projects/spring-security-oauth/blob/2b58aafecac336e82f20ea43da9b208b0a4a40dd/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java#L232

nl594 commented 2 years ago

the follow issue have the question. https://github.com/spring-projects/spring-security-oauth/issues/1908

and I do not think the following commit fix it, because the method RedisTokenStore.removeRefreshToken my be not called. https://github.com/spring-projects/spring-security-oauth/issues/1836