search

spring-projects / spring-authorization-server

Spring Authorization Server
https://spring.io/projects/spring-authorization-server
Apache License 2.0
4.84k stars 1.27k forks source link

NPE on token invalidation #1653

Closed vgagara-talend closed 3 months ago

vgagara-talend commented 3 months ago

Describe the bug NPE happened at this line if access token is not available (e.g. it was expired and cleaned up) but refresh token is present.

To Reproduce

  1. Perform usual authorization code flow which generates access/refresh tokens
  2. Wait some time for access token expiration (e.g. if implemented, access token is cleaned up when expired)
  3. Call /token endpoint one more time with old authorization code

Expected behavior No NPE in the logs

jgrandja commented 3 months ago

@vgagara-talend An OAuth2Authorization is in an invalid state when a OAuth2RefreshToken exists but a OAuth2AccessToken does not exist. An OAuth2AccessToken should always exist even if it's expired.

The custom implementation of:

if implemented, access token is cleaned up when expired

should be fixed to remove the OAuth2Authorization when all tokens are no longer valid.

I'm going to close this based on the explanation provided.