Spring Security OAuth2 何时检查访问令牌过期？

Question

I'm debugging a scenario in my production environment where I intermittently see unexpected HTTP 401 responses from my resource server. I'm using Spring Security OAuth2 (the "old" OAuth libraries; pre Spring Security 5.2.x and its implementation of OAuth2) to handle requests and perform Authn.

What I'm observing is the following:

1. A user logs in at time x (time in seconds here) and obtains an access token. That access token expires at time x + 900 (15 minute validity).
2. At time x + 480 , the user makes a request to a protected endpoint.
3. The request takes a long time to complete, such that it's still being processed when the token expires. At time x + 900 , the server returns a HTTP 401 response.

Questions:

1. Is this really how Spring Security OAuth2 works? To be more specific, does it track the token's expiration time and return a 401 if the request is still being processed when the token expires? Or on the other end of the security filter, when the response is being prepared?
2. Is there a way to disable this behavior, so that the token is only checked when the request is first processed?

Answer 1

I had a look at the source code for spring-security-oauth2 and this is not how it works. The token expiration is only checked one time, at the beginning of processing of the request.

I traced the issue I was having above to a problem in which our server resources were maxed out for a period. When resources (CPU; HTTP request worker threads) became available, the server started processing the request, but by this time the token had expired.