Spring Security OAuth2 not using token expire values from properties

Question

I am trying to configure my application to pull access and refresh token expire times from my properties file rather than setting them in the java configuration. However it is not picking them up and instead reverts to the default values.

Here is a sample of my Java config where I set the expire values manually. This works just fine when I do it like this.

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    ....

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("myclient")
                .secret("mysecret")
                .authorizedGrantTypes("password", "refresh_token")
                .scopes("my-app")
                .autoApprove("my-app")
                .accessTokenValiditySeconds(30)
                .refreshTokenValiditySeconds(3200);
    }
}

However when I try to set them like this in my application.properties file like this, it doesnt work.

# Security
security.oauth2.client.access-token-validity-seconds=60
security.oauth2.client.refresh-token-validity-seconds=3200

Answer 1

I hope this reply is not too late...

I meet the same problem, and later I find this is a bug.

For the autowired for ClientDetailsService, it has a exception:

Method threw 'org.springframework.beans.factory.BeanCreationException' exception. Cannot evaluate com.sun.proxy.$Proxy135.toString()

So the value of clientDetailsService is null. Then it will use the defaul value, so your value setting inside the config class doesn't work. But if you do it in the application.yml, it will set this value without checking clientDetailsService, so it works.

I have already report this issue to the team, hope somebody may solve this bug. https://github.com/spring-projects/spring-security-oauth/issues/1448

A possible solution is either set the value in the application.yml file or set the value in the DefaultTokenServices like this:

@Bean
@Primary
public DefaultTokenServices tokenServices() {
    DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
    defaultTokenServices.setTokenStore(this.tokenStore());
    defaultTokenServices.setSupportRefreshToken(true);
    defaultTokenServices.setTokenEnhancer(this.accessTokenConverter());
    defaultTokenServices.setAccessTokenValiditySeconds(100);
    return defaultTokenServices;
}

Answer 2

Also was searching for this answer and tried proposed solution from DeezCashews. But it didn't work for me, because there is a part of code which firstly check if this value is set in in column access_token_validity table oauth_client_details and only then greps value from tokenServices. So if your "expires_in" is set in oauth_client_details table, then you need to change it there.

Code which checks validity property in db :

    protected int getAccessTokenValiditySeconds(OAuth2Request clientAuth) {
    if (clientDetailsService != null) {
        ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
        Integer validity = client.getAccessTokenValiditySeconds();
        if (validity != null) {
            return validity;
        }
    }
    return accessTokenValiditySeconds;
}