Spring-security-oauth: DefaultTokenServices should not handle invalid tokens

Created on 24 Apr 2020  路  2Comments  路  Source: spring-projects/spring-security-oauth

I think the solution applied to fix https://github.com/spring-projects/spring-security-oauth/issues/1522 is incorrect, by catching all exceptions in DefaultTokenServices, this would mean that if you have a TokenStore that relies on a database and the database is down, all calls will now return a 401 instead of a proper 500. This is valid for other exceptions and/or TokenStore implementations too.

Returning a 500 is more appropriate and can also trigger backoff strategies client side. On the contrary, getting a 401 when validating a token can trigger a token refresh scenario which would amplify the problem.

I think to solve https://github.com/spring-projects/spring-security-oauth/issues/1522, the proper exception handling should be put only in JwtTokenStore and not in the DefaultTokenServices.

Thanks

oauth2 backported bug

All 2 comments

Thanks for the report @jebeaudet. You are absolutely right. The fix I applied previously was not correct. Sorry about that.

I reverted the original fix and applied the correct fix. This is now in master and backported to 2.4.x.

Thanks a lot @jgrandja !

Was this page helpful?
0 / 5 - 0 ratings