-
Notifications
You must be signed in to change notification settings - Fork 323
Avoid Race Condition When Fetching new Access Token from UAA using Refresh Token Flow #1300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
Thanks for the PR @eaglerainbow . I'll need a bit of time to digest the history of this. Is there a reason this PR is still in draft? |
You are welcome!
For sure 😀 This also isn't an issue like others, which you fix just like that 😉
Yes, and that has a lot to do with the history of this issue 😉
I see that
ran red. At the same time JVM 8 seems to have run green. Higher JVM versions seem to be canceled. |
@eaglerainbow it failed on JDK 11 because we run Please run:
|
Okay, didn't know that. |
This passed. I need to make time to review this, probably some time next week. |
No rush, please. |
Problem
When multiple concurrent requests arrive with expired access tokens, the
AbstractUaaTokenProvider
could enter a broken state due to race conditions in the refresh token flow. This occurred because:This issue manifested as authentication deadlocks and intermittent token failures in high-concurrency scenarios. It will only appear when the refresh token flow is executed. As this typically happens only rarely (e.g. after 6 hrs), problem detection can be very tedious.
Solution
This PR implements a fix with two key mechanisms:
1. Request Serialization
getTokenScheduler()
toConnectionContext
providing a single-threaded scheduler per connectionpublishOn(connectionContext.getTokenScheduler())
2. Request Deduplication
activeTokenRequests
map to track ongoing token requestsputIfAbsent()
to ensure only one request per connection contextKey Changes
Core Implementation
getTokenScheduler()
method to interface ofConnectionContext
AbstractUaaTokenProvider
Testing
Concurrency unit tests in integration-test style are provided with this PR to avoid regression in future.
Addressed Issues
closes #1146