Menu
I'm using Spring Security Oauth2 as a security layer in my application. Everything worked well until concurrently async calls appeared .
Can someone tell me how to handle the next case :
1. The client has an accessToken which already has expired.
2. The client makes two concurrent async api calls to my api ( for example : Thread1, Thread2).
3. The Thread1 receives an error : "accessToken expired", before Thread2 .
4. By using the refreshToken Thread1 receives a new accessToken = qqqqq.
5. The Thread2 receives an error : "accessToken expired", before Thread1 makes a new call to server with the new accessToken = qqqqq .
6. By using the refreshToken Thread2 receives a new accessToken = wwwww and removes the accessToken = qqqqq .
7. Here , the Thread1 makes a call to server with accessToken = qqqqq which is not active.
8. Theoretically, it is quite possible to loop both Threads by invalidating each other.
I will appreciate any help , thanks.
436
If you've got control over the client then you can attach a version number to the access token - if a thread attempts to refresh the access token using an old version number then the current (recently refreshed) access token is returned instead.
public class AccessToken {
private int currentVersion;
private String accessToken;
private static AccessToken currentToken;
public static synchronized AccessToken refresh(AccessToken token) {
if(token.currentVersion == currentToken.currentVersion) {
AccessToken newToken = // refresh token
newToken.currentVersion = currentToken.currentVersion + 1;
currentToken = newToken;
}
return currentToken;
}
}
If you don't have any control over the client and/or would prefer to fix this server-side, then a few options are:
164
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
