Spring-security-oauth: Failed to find access token for token $NEW_TOKEN

Created on 19 Jun 2016  路  29Comments  路  Source: spring-projects/spring-security-oauth

At my server every update of access_token (using refresh_token) causes EmptyResultDataAccessException and in logs "Failed to find access token for token $NEW_TOKEN".
After investigating and debugging I found strange behavior in JdbcTokenStore class:

refresh access token flow:
remove OLD access_token from db using refresh_token --> create NEW access_token --> read OLD access token from db --> insert NEW access_token

Strange behavior is to read access_token after removing it from database, fragment of code (JdbcTokenStore:144):

public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
    ...
    if (readAccessToken(token.getValue())!=null) {
        removeAccessToken(token.getValue());
    }
    ...
}

Please explain me is it a feature or bug ? Or I have bad settings of Oauth2 ?

P.S. Refreshing works perfect at my case, but with such row in logs.
spring-security-oauth2, version: 2.0.10.RELEASE

waiting-for-triage

All 29 comments

I am facing the same issue, I hope it will be removed in next release.

I have the same problem when try to get resource access using curl http://localhost:8080/usuario -H "Authorization: Bearer 00b19c0fd37b1118d80874e5901af306".

Anyone know whats happens?

This is the problem on Spring class JdbcTokenStore.

The token value is codified and does not match with value in MySql DB. I need study the cause.

protected String extractTokenKey(String value) {
        if (value == null) {
            return null;
        }
        MessageDigest digest;
        try {
            digest = MessageDigest.getInstance("MD5");
        }
        catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("MD5 algorithm not available.  Fatal (should be in the JDK).");
        }

        try {
            byte[] bytes = digest.digest(value.getBytes("UTF-8"));
            return String.format("%032x", new BigInteger(1, bytes));
        }
        catch (UnsupportedEncodingException e) {
            throw new IllegalStateException("UTF-8 encoding not available.  Fatal (should be in the JDK).");
        }
    }

My impressions:

I no have problem with token. The token is stored encrypted in database and i send same token as database, i should use the token returned by request.

Other thing, i include more security in my oauth2 class and my secreted is store encrypted with the code above:

@Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.passwordEncoder(passwordencoder());
        }

@Bean(name = "passwordEncoder")
        public PasswordEncoder passwordencoder() {
            return new BCryptPasswordEncoder();
        }

-- Include more grant types.
.authorizedGrantTypes("password", "authorization_code",
                            "refresh_token", "implicit")

I am facing the same issue. Despite everything works fine, there will be log "JdbcTokenStore]readAccessToken:168 - Failed to find access token for token $$$" both when getting a new token or refreshing token.

Is this still unsolved ? I am using 'org.springframework.security.oauth:spring-security-oauth2:2.0.11.RELEASE'. I can login once I delete/restore an empty database and only 1 time.

The same error for me.

still facing the issue JdbcTokenStore - Failed to find access token for token , with spring-security-oauth2-2.0.11.RELEASE, with rest client it gives the new token, but from form login it throws this error

I am facing the same issue. Despite everything works fine, there will be log
o.s.s.o.p.t.s.JdbcTokenStore - Failed to find access token for token when doing refresh refreshing token.

Same here

Working fine for me I used JdbcTokenStore(same db) for both the servers running different ports.

Same here with spring-security-oauth 2.1.0.RELEASE

Same here

Experiencing same issue on spring-security-oauth2 (2.0.14.RELEASE)

Any workarounds for this?

same issue here; using

spring-security-oauth2-2.0.3.RELEASE.jar

Turned out this is not an issue on my code but on the request I'm sending.
During token refresh, I just passed the token using the "refresh_token" param not "refresh-token" :)

When I change the param to "refresh-token", then the TokenEndpoint returns 400 Bad request and logs following INFO: "Handling error: InvalidGrantException, Invalid refresh token: null".

"refresh_token" is working but logs "Failed to find access token for token" as INFO in org.springframework.security.oauth2.provider.token.store.JdbcTokenStore#readAccessToken on line 124 (spring-security-oauth2-2.0.12.RELEASE)

Yes, "refresh_token" is right.
Regarding the log "Failed to find access token for token", this is NORMAL during refresh since the new generated access token will be queried from the database to check for duplicates (hence the log). In case another entry is found that uses the same access token, it will be removed (see JdbcTokenStore.java line 144). If no record is found, the access token will be updated to the new generated access token.

Same here

Same here

Still ...

Same here... After authentication.

Same here.

@reenolesigues so this is a normal behaviour? The message could have more clear.

Same here.
Is there any update on this issue?

Our company just started having this issue this week and haven't updated our auth server in months! What should we do?

I am facing with the same issue with

spring-security-oauth2-2.3.4.RELEASE.jar

Is there any update?

I solved it by setting reuseRefreshTokens false in AuthorizationServerEndpointsConfigurer and setSupportRefreshToken true in DefaultTokenServices
```java @Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
TokenEnhancerChain enhancerChain = new TokenEnhancerChain();
enhancerChain.setTokenEnhancers(Arrays.asList(accessTokenConverter));
endpoints.prefix("/ws/book").tokenStore(tokenStore).reuseRefreshTokens(false).exceptionTranslator(exception -> {
return exceptionOAuth(exception);
}).accessTokenConverter(accessTokenConverter).tokenEnhancer(enhancerChain).authenticationManager(authenticationManager);
}

    @Bean
@Primary
public DefaultTokenServices tokenServices() {
    DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
    defaultTokenServices.setTokenStore(tokenStore());
    defaultTokenServices.setSupportRefreshToken(true);
    return defaultTokenServices;
}`
Was this page helpful?
0 / 5 - 0 ratings