When does Spring Security OAuth2 check access token expiration?

0
votes

I'm debugging a scenario in my production environment where I intermittently see unexpected HTTP 401 responses from my resource server. I'm using Spring Security OAuth2 (the "old" OAuth libraries; pre Spring Security 5.2.x and its implementation of OAuth2) to handle requests and perform Authn.

What I'm observing is the following:

  1. A user logs in at time x (time in seconds here) and obtains an access token. That access token expires at time x + 900 (15 minute validity).
  2. At time x + 480, the user makes a request to a protected endpoint.
  3. The request takes a long time to complete, such that it's still being processed when the token expires. At time x + 900, the server returns a HTTP 401 response.

Questions:

  1. Is this really how Spring Security OAuth2 works? To be more specific, does it track the token's expiration time and return a 401 if the request is still being processed when the token expires? Or on the other end of the security filter, when the response is being prepared?
  2. Is there a way to disable this behavior, so that the token is only checked when the request is first processed?
1
springspring-bootspring-securityoauth-2.0spring-security-oauth2

1 Answers

0
votes

I had a look at the source code for spring-security-oauth2 and this is not how it works. The token expiration is only checked one time, at the beginning of processing of the request.

I traced the issue I was having above to a problem in which our server resources were maxed out for a period. When resources (CPU; HTTP request worker threads) became available, the server started processing the request, but by this time the token had expired.