Talk about the token expire in use of OAuth 2.0

Background of problem

A private letter from a classmate asked such a question. Visit pig4cloud's Demonstration environment Check the return message of login request network as follows:


When the local deployment is running, the message returned by the login request is as follows:


The expires in expiration parameter is missing, so the client cannot know when to perform the refresh behavior.

Source code analysis

Let's look at the token method mechanism of oauth2. If the validitySeconds configured by the client is greater than 0, the valid time expires in parameter of the current token will be returned,

OAuth2AccessToken createAccessToken() {
  DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
  int validitySeconds = getAccessTokenValiditySeconds(authentication.getOAuth2Request());
  if (validitySeconds > 0) {
    token.setExpiration(new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));

  return accessTokenEnhancer != null ? accessTokenEnhancer.enhance(token, authentication) : token;
  • When tokenStore stores tokens, if the expiration parameter is 0 or less than 0, and the expiration is empty, the effective time will not be set, which means it is permanent. Therefore, the client will not respond to the expires in parameter at this time
if (token.getExpiration() != null) {
  int seconds = token.getExpiresIn();
  conn.expire(accessKey, seconds);
  conn.expire(authKey, seconds);
  conn.expire(authToAccessKey, seconds);
  conn.expire(clientId, seconds);
  conn.expire(approvalKey, seconds);

Should a permanently valid token return the expires in parameter?

Let's see first oauth2 protocol specification

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

  • Access Ou token (required) an access token issued by an authorization server
  • token_type (required) this is the type of token, usually just the string "bear".
  • Expires \ in (recommended) if the access token expires.
  • refresh_token (optional) refreshes the token, which can be used to refresh after the access token expires.
  • Scope (optional) this parameter is optional if the scope granted by the user is the same as the scope requested by the application.

Here expires \. Therefore, the processing of spring security oauth2 here does not conform to the protocol specification emmm.

Project recommendation: Welcome to RBAC permission management system of Spring Cloud and Spring Security OAuth2

Tags: Programming Spring network less JSON

Posted on Wed, 08 Apr 2020 05:09:38 -0700 by Zeekar