Re: [PR] Synchronize access token refresh when refresh tokens aren't recycled [cxf]

via GitHub Thu, 21 May 2026 10:57:18 -0700


reta commented on code in PR #3133:
URL: https://github.com/apache/cxf/pull/3133#discussion_r3283297127



##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java:
##########
@@ -225,6 +225,16 @@ protected ServerAccessToken createNewAccessToken(Client 
client, UserSubject user
     @Override
     public ServerAccessToken refreshAccessToken(Client client, String 
refreshTokenKey,
                                                 List<String> restrictedScopes) 
throws OAuthServiceException {
+        if (!recycleRefreshTokens) {
+            synchronized (refreshTokenLock) {
+                return doRefreshAccessToken(client, refreshTokenKey, 
restrictedScopes);

Review Comment:
   Thanks @coheigea , the solution looks legit (since synchronized is 
reentrant), cleaning up the `doRefreshAccessToken` probably is too risky



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Synchronize access token refresh when refresh tokens aren't recycled [cxf]

Reply via email to