Closed gvermoen closed 3 years ago
rareddy
commented
3 years ago The current implementation always retrieves a new access token (unless it actually expired, which is even worse).
Where do you see it is getting the access token all the time? This is a connection factory mostly a singleton, each time one is requesting a connection on it checks if the access token is expired, if not it will use a refresh token or user/password to get new access token.
gvermoen
commented
3 years ago each time one is requesting a connection on it checks if the access token is expired,
This is where the problem is actually. The method isAccessTokenValid() will always return false on tokens that are not expired. Because accessGrant.getExpireTime() is a date in the future, so the expression accessGrant.getExpireTime() < System.currentTimeMillis() will only return true when the current time exceeded the expire time. (which is when the token is expired).
So the result is that refreshAccessToken() is always invoked each time one is requesting a connection and a non-expired token is present.
BTW if you use Springs OAuth2AuthorizedClientManager, this is all done for you automagically.
rareddy
commented
3 years ago Thanks for the explanation, I was reading it wrong before.
In org.springframework.social.oauth2.AccessGrant, the expireTime is calculated like this:
this.expireTime = expiresIn != null ? System.currentTimeMillis() + expiresIn * 1000L : null;The current implementation always retrieves a new access token (unless it actually expired, which is even worse).
Btw, why isn't the refresh token used to refresh the access token, using the OAuth 2.0 Refresh Token Grant?