I have a Java application running under Spring 3.x and using the native Spring OAuth2 implementation (JDBC persistence). My application provides a REST interface that partners will use. These applications will have a variable number of threads getting into my application. "Variable" is the main thing. Ideally, I would like one affiliate token to be updated per affiliate (in this case, the affiliate is an end user, they do not work on behalf of a regular user). However, I find that if thread A requests an access_token from my server, the token A is returned. This is normal, but if thread B then requests a token, token_A is invalid and token_B is returned. This obviously upsets stream A.
I read the RFC, and I do not quite understand that the second call to get access_token should automatically issue a new token or return an existing, but still valid token. Actually, how the "implicit" grant_type stream works, but not the refresh_token grant_type stream. I pulled the GitHub source for DefaultTokenServices and it seems that the behavior is unchanged and, I think, wish. So, I have two questions:
- Issues a new token (and, therefore, the older one is invalid), both mandatory and desirable?
- How do I get rid of this problem? There should be several scenarios in which multiple threads use the same refresh_token file. How do they work?
The ideal stream, as I see it, would be something like this:
- Thread A is requesting a token. Nothing was found, so a new token is created / returned. Validity - 10 minutes.
- Thread A , 8 .
- Thread B 7 . # 1 ; 3 .
- Thread B , 5
- B, " ", , №1. Thread B 2
- Thread B , 10 .
- Thread B .