After a successful login the restTemplate.getAccessToken() method is called in order to store the token with a provided ClientTokenServices. See OAuth2ClientAuthenticationProcessingFilter.java line 117 +118:
// Nearly a no-op, but if there is a ClientTokenServices then the token will now be stored
restTemplate.getAccessToken();
However the ClientTokenServices.saveAccessToken(...) method is never called because the token is obtained directly from the scoped OAuth2ClientContext in OAuth2RestTemplate.
I'm using using version 2.0.7 with @EnableOAuth2Sso and a custom ClientTokenServices.
Isn't the problem that the ClientTokenServices is not present in the OAuth2RestTemplate (there isn't one by default if you are using only @Enable* annotations to set it up)?
It's present, I've added it as described in the manual.
I'm more or less convinced that the problem (if there is one) is not in Spring OAuth. I'll try and play with the sample SSO app in Spring Boot to convince myself, and hopefully others.
OK, changed my mind, I see the issue now: there is no Authentication when the token is acquired in the SSO filter, so it can't be saved in the ClientTokenServices until it is available in the security context. All of which raises the question: is ClientTokenServices actually appropriate in an SSO setting?
When this feature will be available ? Also, is it safe to store token based only on authentication.getName(), resource.getClientId() and resource.getScope as implemented in DefaultClientKeyGenerator.extractKey method ?
I think there is a very good chance to face a collisions between OAuth2 providers in oauth_client_token table.
What do you think ?
Bump ?
At least please fix the documentation so its clear that this feature is not availble.
"http://projects.spring.io/spring-security-oauth/docs/oauth2.html" section "Persisting Tokens in a Client"
Thanks
Whats the status on this issue, I have implemented my custom ClientTokenServices in my client application to enable me to delete the tokens on logout but its not working. On checking the login transaction I noticed the ClientTokenServices code is not being executed.
Most helpful comment
Bump ?
At least please fix the documentation so its clear that this feature is not availble.
"http://projects.spring.io/spring-security-oauth/docs/oauth2.html" section "Persisting Tokens in a Client"
Thanks