Skip to content

Remove OAuth2AuthenticationToken.AccessToken #4522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jgrandja opened this issue Sep 12, 2017 · 1 comment
Closed

Remove OAuth2AuthenticationToken.AccessToken #4522

jgrandja opened this issue Sep 12, 2017 · 1 comment
Assignees
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone

Comments

@jgrandja
Copy link
Contributor

jgrandja commented Sep 12, 2017

An AccessToken lives longer than an Authentication. For example, a user's authenticated session may last for an hour, whereas the AccessToken associated with the user and AuthorizedClient may last a day.

We should remove this association and start leveraging SecurityTokenRepository<AccessToken> when the AuthorizedClient needs the AccessToken to make a protected resource call.

@jgrandja jgrandja added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Sep 12, 2017
@jgrandja jgrandja added this to the 5.0.0.M4 milestone Sep 12, 2017
@jgrandja jgrandja self-assigned this Sep 12, 2017
@jgrandja jgrandja mentioned this issue Sep 12, 2017
28 tasks
@rwinch rwinch modified the milestones: 5.0.0.M4, 5.0.0.M5 Sep 13, 2017
@jgrandja
Copy link
Contributor Author

The original comment in this issue is outdated as a result of the restructuring of OAuth2AuthenticationToken c54c622. The new OAuth2ClientAuthenticationToken is composed of a ClientRegistration and AccessToken.

After giving it some further thought, we'll leave things as is. It makes sense to have this association in OAuth2ClientAuthenticationToken as an instance of this Authentication represents an Authorized Client. We are also leveraging SecurityTokenRepository<AccessToken> to save the AccessToken after it's initially granted so it can always be retrieved at a later point or in a subsequent user session.

Closing this and leaving as is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Development

No branches or pull requests

2 participants