Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthorizedClientServiceOAuth2AuthorizedClientManager usage of OAuth2AuthorizedClientService for client credentials flow #13816

Closed
david-sauvage opened this issue Sep 14, 2023 · 3 comments
Closed

AuthorizedClientServiceOAuth2AuthorizedClientManager usage of OAuth2AuthorizedClientService for client credentials flow #13816

david-sauvage opened this issue Sep 14, 2023 · 3 comments
Assignees
@sjohnr
Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement

Comments

@david-sauvage
Copy link

Expected Behavior

Only save the client credentials token once in the InMemoryOAuth2AuthorizedClientService.

Current Behavior

The jwt token is saved for every principal (every user) in the InMemoryOAuth2AuthorizedClientService resulting in a memory leak.

Context

I’m developing a service which is both a resource server and a client to other http APIs.
I’m using spring boot and by extension : spring security and webclient.

I use client credentials when it comes to communicating with other APIs

My application had a memory leak issue and I found out that it was because I was using an InMemoryOAuth2AuthorizedClientService since it’s the default that comes with spring boot (documented here : https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#web.security.oauth2.client and not recommended)

The way the OAuth2AuthorizedClientService behaves in my app is that it will save for every principal (meaning every user) that comes from my controller a new jwt token retrieved with the client credentials configuration. It results in a memory leak since it saves this in memory.

Is this behavior on purpose ? What is the concept behind it that is probably out of my sight ?
The only clean alternatives I saw documented was to use a JdbcOAuth2AuthorizedClientService which is pretty heavy. Is there other alternatives ?

Thank you
@david-sauvage david-sauvage added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Sep 14, 2023
@sjohnr
Copy link
Member

sjohnr commented Nov 8, 2023

@david-sauvage sorry you had trouble with the client_credentials grant and the default of storing tokens in-memory. This has been discussed before (for example, see gh-10083).

I added documentation to address this a few years ago, with gh-10120 (49f3c0c) but it appears this commit was lost when the Antora documentation updates were made around the same time. I would like to repurpose this ticket to re-add the missing documentation on this topic.

At this time, I don't believe we would look to change the default behavior. The framework is oriented towards user-based OAuth2 requests which take into account the current principal, and the missing documentation will describe the configuration you should apply for your use case.

Does that context address your issue and answer the question? If you have further questions, please feel free to open a Stack Overflow question and I'll take a look.

@sjohnr sjohnr self-assigned this Nov 8, 2023
@sjohnr sjohnr added in: docs An issue in Documentation or samples status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 8, 2023
@sjohnr sjohnr mentioned this issue Nov 9, 2023
Closed
sjohnr added a commit that referenced this issue Nov 9, 2023
@sjohnr
Document authentication helper method in WebClient integration
7335c57 
This commit re-applies 49f3c0c
which was lost while splitting pages for Antora.

Issue gh-13816
Issue gh-10120
@spring-projects-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Nov 15, 2023
@spring-projects-issues
Copy link

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

@spring-projects-issues spring-projects-issues closed this as not planned Won't fix, can't repro, duplicate, stale Nov 22, 2023
@spring-projects-issues spring-projects-issues removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue labels Nov 22, 2023
@FryingHellfish FryingHellfish mentioned this issue Aug 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@david-sauvage @sjohnr @spring-projects-issues