I think the solution applied to fix https://github.com/spring-projects/spring-security-oauth/issues/1522 is incorrect, by catching all exceptions in DefaultTokenServices, this would mean that if you have a TokenStore that relies on a database and the database is down, all calls will now return a 401 instead of a proper 500. This is valid for other exceptions and/or TokenStore implementations too.
Returning a 500 is more appropriate and can also trigger backoff strategies client side. On the contrary, getting a 401 when validating a token can trigger a token refresh scenario which would amplify the problem.
I think to solve https://github.com/spring-projects/spring-security-oauth/issues/1522, the proper exception handling should be put only in JwtTokenStore and not in the DefaultTokenServices.
Thanks
Thanks for the report @jebeaudet. You are absolutely right. The fix I applied previously was not correct. Sorry about that.
I reverted the original fix and applied the correct fix. This is now in master and backported to 2.4.x.
Thanks a lot @jgrandja !