Cleanup mechnism for expired authorizations

[GrmpfNarf]

Expected Behavior
There should be a mechanism to cleanup expired authorizations.

Current Behavior
When an authorization is expired (access and refresh token) then it stays in the Database forever which exceeds the size of the table.

Context
When the server is used with a large count of users the table with the authorizations gets quite big which is not necessary and can result in performance issues.

Solution ideas
I have two ideas for a solution:

1. When the Authorization is generated like in the OAuth2AuthorizationCodeRequestAuthenticationProvider.authenticateAuthorizationRequest method the expired authorizations will be discarted. This is the same logic as in the prior authorization server implementation (https://github.com/spring-projects/spring-security-oauth/blob/2b58aafecac336e82f20ea43da9b208b0a4a40dd/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java#L94)
2. An event based implementation like a timer which cleans the expired authroization periodically.

For the implementation with the timer i already have an example:

import lombok.RequiredArgsConstructor;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.security.oauth2.core.OAuth2AuthorizationCode;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.stereotype.Component;

import java.util.List;

@Component
@RequiredArgsConstructor
public class CleanExpiredTokensService {

    private final CustomOAuth2AuthorizationService authorizationService; //Custom interface which provides the findAll method extends org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService

    @Scheduled(fixedDelay = 10000)
    public void cleanExpiredTokens() {
        List<OAuth2Authorization> authorizations = authorizationService.findAll(); //Custom SQL 
        authorizations.stream().filter(
                authorization ->
                {
                    var authorizationCode = authorization.getToken(OAuth2AuthorizationCode.class);
                    var accessToken = authorization.getAccessToken();
                    var refreshToken = authorization.getRefreshToken();
        
                    // Attention when you use nbf (notBefore) claim isActive is also false when the token is not active yet.
                    // In this case you have to check isInvalidated and isExpired separately
                    boolean authorizationCodeInvalid = authorizationCode == null || !authorizationCode.isActive();
                    boolean accessTokenInvalid = accessToken == null || !accessToken.isActive();
                    boolean refreshTokenInvalid = refreshToken == null || !refreshToken.isActive();

                    return authorizationCodeInvalid && accessTokenInvalid && refreshTokenInvalid;
                }
        ).forEach(authorizationService::remove);
    }
}

[jgrandja]

@GrmpfNarf For similar reasons explained in gh-531, cleaning up expired (or invalidated) OAuth2Authorization's is not a feature concern for this project and would therefore not be implemented.

Furthermore, each deployed application will have their own requirements on cleaning up or archiving OAuth2Authorization's. I'm pretty sure a straight delete would not suffice in a production application as this could result is auditing concerns for the organization.

I'm going to close this as this is the responsibility of the application to implement a cleanup/archiving process to suit their requirements.