OAuth2Authorization will exist in redis when refresh_token expired #1981

wzkris · 2025-04-18T05:12:53Z

Describe the bug
When using Redis to store OAuth2Authorization and setting reuseRefreshTokens to true, when your refresh token is about to expire, call the refresh endpoint. The expiration time of OAuth2Authorization will be reset, but the expiration time of the refresh token remains unchanged. At this point, if the time exceeds the expiration time of the refresh token, the server will deny access, but OAuth2Authorization still exists in Redis.

To Reproduce

Use the official redis store code
Set TokenSettings#reuseRefreshTokens to true
When the refresh token is about to expire, call the /oauth2/token grant_type=refresh_token endpoint

Expected behavior
The refresh token expires at the same time as the OAuth2Authorization lives.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.

The text was updated successfully, but these errors were encountered:

wzkris added the type: bug A general bug label Apr 18, 2025

wzkris changed the title ~~Data will exist in redis when refresh token expired~~ OAuth2Authorization will exist in redis when refresh_token expired Apr 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OAuth2Authorization will exist in redis when refresh_token expired #1981

OAuth2Authorization will exist in redis when refresh_token expired #1981

wzkris commented Apr 18, 2025

OAuth2Authorization will exist in redis when refresh_token expired #1981

OAuth2Authorization will exist in redis when refresh_token expired #1981

Comments

wzkris commented Apr 18, 2025