What they did do wrong

Last Update: 05.06.2018. By Jens in Developers Life | Learning | Newsletter

  Alejandro wrote in with an interesting piece of a tutorial having the same problem as my client.

“Last week i* was reading about Google Sing-In in with Spring Social and one article that I read had exactly this problem: http://littlebigextra.com/part-1-authorising-user-using-spring-social-google-facebook-and-linkedin-and-spring-security/

Maybe they followed that guide

The author also posted the solution: http://littlebigextra.com/how-to-fix-spring-social-facebook-one-user-per-application-problem/
It may have been the case.”

—*

Yeah, if you simply follow a tutorial, don’t understand it and just copy and paste code, it can become a mess. Before you copy and paste anything, understand how it works first. Anyways, that was not the problem my client had.

Essentially, they did not use an injected OAuth2ClientContext because of some other behavior but rather instanciated it while setting up the Oauth2RestTemplate for the google login. This config code runs once and so a new DefaultOAuth2ClientContext(accessTokenRequest) does too. DefaultOAuth2ClientContext is the only class implementing the OAuth2ClientContext interface. DefaultOAuth2ClientContext is a simple data class and nothing more. The crux comes, in the Oauth2RestTemplate. retrieves the token from the context and uses that only as long as it is valid. When they first user logs in their token is stored in the one and only DefaultOAuth2ClientContext instance. Oauth2RestTemplate, now always retrieves this token until it is invalid or the app restarts.

The reason why they did use the injected context was another behavior of Spring. They also had an OAuth2 service client set up and this was always used when injecting the OAuth2ClientContext. Not sure why and not enough time to investigate. Anyways, the solution was simply adding an own bean definition - session scoped - which returns an instance of DefaultOAuth2ClientContext, inject it in the config and use it for setting up the rest template. Works, problem solved.