Why the ACCESS_TO_REFRESH have a same expire time with refresh token not the access token

Question

Why the ACCESS_TO_REFRESH have a same expire time with refresh token not the access token

nl594 opened this issue 2 years ago · comments

The ACCESS_TO_REFRESH have a same expire time with refresh token not the access token,
the access token xxx may be already expired in redis，but the access_to_refesh:xxx is still in redis。
What is access_to_refesh:xxx used for ?
I think access_to_refesh:xxx should have the same expire time with access token xxx, if access token xxx is expired,access_to_refesh:xxx need expired too,Otherwise, it will occupy redis space.

Does anyone can explain this ?

https://github.com/spring-projects/spring-security-oauth/blob/2b58aafecac336e82f20ea43da9b208b0a4a40dd/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java#L232

nl594 · Answer 1 · Sat Mar 26 2022 21:37:44 GMT+0800 (China Standard Time)

the follow issue have the question.
#1908

and I do not think the following commit fix it, because the method RedisTokenStore.removeRefreshToken my be not called.
#1836