Skip to content
Advertisement

Spring Security OAuth2 not using token expire values from properties

I am trying to configure my application to pull access and refresh token expire times from my properties file rather than setting them in the java configuration. However it is not picking them up and instead reverts to the default values.

Here is a sample of my Java config where I set the expire values manually. This works just fine when I do it like this.

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    ....

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("myclient")
                .secret("mysecret")
                .authorizedGrantTypes("password", "refresh_token")
                .scopes("my-app")
                .autoApprove("my-app")
                .accessTokenValiditySeconds(30)
                .refreshTokenValiditySeconds(3200);
    }
}

However when I try to set them like this in my application.properties file like this, it doesnt work.

# Security
security.oauth2.client.access-token-validity-seconds=60
security.oauth2.client.refresh-token-validity-seconds=3200

Advertisement

Answer

I hope this reply is not too late…

I meet the same problem, and later I find this is a bug.

For the autowired for ClientDetailsService, it has a exception:

Method threw 'org.springframework.beans.factory.BeanCreationException' exception. Cannot evaluate com.sun.proxy.$Proxy135.toString()

So the value of clientDetailsService is null. Then it will use the defaul value, so your value setting inside the config class doesn’t work. But if you do it in the application.yml, it will set this value without checking clientDetailsService, so it works.

I have already report this issue to the team, hope somebody may solve this bug. https://github.com/spring-projects/spring-security-oauth/issues/1448

A possible solution is either set the value in the application.yml file or set the value in the DefaultTokenServices like this:

@Bean
@Primary
public DefaultTokenServices tokenServices() {
    DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
    defaultTokenServices.setTokenStore(this.tokenStore());
    defaultTokenServices.setSupportRefreshToken(true);
    defaultTokenServices.setTokenEnhancer(this.accessTokenConverter());
    defaultTokenServices.setAccessTokenValiditySeconds(100);
    return defaultTokenServices;
}
User contributions licensed under: CC BY-SA
10 People found this is helpful
Advertisement