Skip to content

OAuth2Authorization will exist in redis when refresh_token expired #1981

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wzkris opened this issue Apr 18, 2025 · 1 comment
Closed

OAuth2Authorization will exist in redis when refresh_token expired #1981

wzkris opened this issue Apr 18, 2025 · 1 comment
Assignees
@jgrandja
Labels
status: invalid An issue that we don't feel is valid

Comments

@wzkris
Copy link

wzkris commented Apr 18, 2025

Describe the bug
When using Redis to store OAuth2Authorization and setting reuseRefreshTokens to true, when your refresh token is about to expire, call the refresh endpoint. The expiration time of OAuth2Authorization will be reset, but the expiration time of the refresh token remains unchanged. At this point, if the time exceeds the expiration time of the refresh token, the server will deny access, but OAuth2Authorization still exists in Redis.

To Reproduce

  1. Use the official redis store code
  2. Set TokenSettings#reuseRefreshTokens to true
  3. When the refresh token is about to expire, call the /oauth2/token grant_type=refresh_token endpoint

Expected behavior
The refresh token expires at the same time as the OAuth2Authorization lives.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.
@wzkris wzkris added the type: bug A general bug label Apr 18, 2025
@wzkris wzkris changed the title Data will exist in redis when refresh token expired OAuth2Authorization will exist in redis when refresh_token expired Apr 18, 2025
@jgrandja
Copy link
Collaborator

@wzkris

if the time exceeds the expiration time of the refresh token, the server will deny access, but OAuth2Authorization still exists in Redis

Correct. The OAuth2Authorization will still exist in the backing store even if all tokens are expired. This is the expected behaviour. Please see this comment and this comment for further context.

@jgrandja jgrandja self-assigned this Apr 30, 2025
@jgrandja jgrandja added status: invalid An issue that we don't feel is valid and removed type: bug A general bug labels Apr 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jgrandja @wzkris