Reputation: 392
Does client credentials flow prevent from concurrent authentication attempts?
I was following Client Credentials flow guide from Baeldung, one question that occurred to me was - what would happen if during the initial request, when no Token was cached, a second request was received in the application. Would Spring send a second request to authenticate?
I went as far as debugging my application and looked at ClientCredentialsOAuth2AuthorizedClientProvider implementation, but couldn't find any locking mechanism and I didn't know where to look from there.
Upvotes: 0
Views: 62
Answers (1)
Reputation: 3406
Yes, it will. This is a typical race condition, and Spring Security does not have built-in preventive measures against it. If a second request arrives while no token is cached, Spring will send another authentication request.
Similar issues have been discussed before (e.g., #11461, #14123), and the Spring team’s stance is that handling this should be the application's responsibility.
If this causes issues for you, consider implementing a custom synchronization mechanism to prevent multiple simultaneous authentication requests. You can also provide feedback or explore potential solution in this open issue: #15145.
Upvotes: 5
Related Questions
- Speed up Spring Boot startup time
- Spring Boot OAuth2RestTemplate Client Credentials in Body
- How to secure REST API with Spring Boot and Spring Security?
- OAuth2 flow from resource server to another
- OAuth2 client credentials flow via Spring Boot Keycloak integration
- Central auth server with multiple clients using resource owner password credentials oauth flow
- Spring Oauth2 client and user credentials combination
- Basic Authentication Filter and authentication entry point not actually used from spring oauth2 token request
- Spring-security context setup for 2-legged (client credentials) OAuth2 server
- Understanding OAuth2 Client credentials flow