OAuth2RestTemplate is not thread-safe
harti2006 opened this issue · 2 comments
They way, how OAuth2RestTemplate stores access tokens in its OAuth2ClientContext context field and finally passes it to the authenticator, that writes the auth header to the request, is not thread safe.
That means, using a single instance of OAuth2RestTemplate from multiple threads in parallel might lead to wrong access tokens being send around.
The original RestTemplate is thread safe, so I was surprised, that this one is not.
yes and no.
Within the framework, OAuth2ClientContext is session/request scoped bean (depending on the usage scenario) and it is thread safe to be used like this.
For example, OAuth2ClientConfiguration or EnableOAuth2Client.
Of course it means when creating one yourself you need to take care about thread safety in one way or another.
Thanks @olkulyk , now I got it ;-)
However, it would be nice to have some hints to the usage directly in the java docs. but it is also explained here: http://projects.spring.io/spring-security-oauth/docs/oauth2.html#oauth-2.0-client