0

I have a Spring application that acts as an OAuth2 client. I implemented a JdbcClientTokenServices to persist the tokens for each user that succesfully authenticates.

@Bean
public OAuth2RestTemplate restTemplate(OAuth2ClientContext clientContext) {
    OAuth2RestTemplate template = new OAuth2RestTemplate(resource(), clientContext);
    AccessTokenProviderChain accessTokenProvider = new AccessTokenProviderChain(
            Collections.<AccessTokenProvider>singletonList(
                    new AuthorizationCodeAccessTokenProvider()
            ));
    accessTokenProvider.setClientTokenServices(clientTokenServices());
    accessTokenProvider.supportsRefresh(resource());
    template.setAccessTokenProvider(accessTokenProvider);
    return template;
}

@Bean
public JdbcClientTokenServices clientTokenServices() {
    return new JdbcClientTokenServices(dataSource);
}

This code makes use of a oauth_client_token table. When I looked for the content in this table, I noticed it only saves the access token? I was wondering why the refresh token does not get saved aswell since the refresh token should be longer lived than the access token anyway.

David - ACA Group
  • 459
  • 4
  • 17
  • 2
    I don't know Spring security (yet) but from the [source](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServices.java) it seems that `JdbcClientTokenServices` stores `OAuth2AccessToken` instances and those have a method `getRefreshToken()` - thus I'd assume that the corresponding refresh token will be saved as well - `SerializationUtils.serialize(accessToken)` should include any potential refresh token. – Thomas Oct 14 '19 at 12:56
  • 2
    In general you'll get a new refresh token when acquiring an access token anyway so it makes sense to store them together. – Thomas Oct 14 '19 at 12:57
  • @Thomas Makes a lot of sense. Thanks for the clarification! – David - ACA Group Oct 14 '19 at 13:04

0 Answers0