[英]When does Spring Security OAuth2 check access token expiration?
I'm debugging a scenario in my production environment where I intermittently see unexpected HTTP 401 responses from my resource server.我在我的生产环境中调试一个场景,我间歇性地看到来自我的资源服务器的意外 HTTP 401 响应。 I'm using Spring Security OAuth2 (the "old" OAuth libraries; pre Spring Security 5.2.x and its implementation of OAuth2) to handle requests and perform Authn.我正在使用 Spring Security OAuth2(“旧”OAuth 库;pre Spring Security 5.2.x 及其 OAuth2 的实现)来处理请求并执行 Authn。
What I'm observing is the following:我观察到的是以下内容:
x
(time in seconds here) and obtains an access token.用户在时间x
(此处以秒为单位)登录并获得访问令牌。 That access token expires at time x + 900
(15 minute validity).该访问令牌在时间x + 900
(15 分钟有效期)过期。x + 480
, the user makes a request to a protected endpoint.在时间x + 480
,用户向受保护的端点发出请求。x + 900
, the server returns a HTTP 401
response.在时间x + 900
,服务器返回HTTP 401
响应。Questions:问题:
I had a look at the source code for spring-security-oauth2
and this is not how it works.我查看了spring-security-oauth2
的源代码,但它不是这样工作的。 The token expiration is only checked one time, at the beginning of processing of the request.令牌过期仅在请求处理开始时检查一次。
I traced the issue I was having above to a problem in which our server resources were maxed out for a period.我将上面遇到的问题追溯到我们的服务器资源在一段时间内被最大化的问题。 When resources (CPU; HTTP request worker threads) became available, the server started processing the request, but by this time the token had expired.当资源(CPU;HTTP 请求工作线程)可用时,服务器开始处理请求,但此时令牌已过期。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.