Hi there, this following validation is new in CAS6.x
OIDC endpoint: cas/oidc/token (request access token using authCode) OAuth20AuthorizationCodeGrantTypeTokenRequestValidator the log says it all, if authCode is expired, it will attempt to revoke all access tokens issued to the authCode (new to CAS6), however, it does so by querying the entire registry: getTicketRegistry().getTickets() @Override protected boolean validateInternal(final WebContext context, final String grantType, final ProfileManager manager, final UserProfile uProfile) { ....................................... if (valid) { val token = getConfigurationContext().getTicketRegistry().getTicket(code.get(), OAuth20Code.class); if (token == null || token.isExpired()) { LOGGER.debug("Code [{}] is invalid or expired. Attempting to revoke access tokens issued to the code", code.get()); val accessTokensByCode = getConfigurationContext().getTicketRegistry().getTickets(ticket -> ticket instanceof OAuth20AccessToken && StringUtils.equalsIgnoreCase(((OAuth20AccessToken) ticket).getToken(), code.get())); accessTokensByCode.forEach(ticket -> { LOGGER.debug("Removing access token [{}] issued via expired/unknown code [{}]", ticket.getId(), code.get()); getConfigurationContext().getTicketRegistry().deleteTicket(ticket); }); LOGGER.warn("Request OAuth code [{}] is not found or has expired", code.get()); return false; } ............................... this is CAS HazelcastTicketRegistry code. note: this.ticketCatalog.findAll() @Override public Collection<? extends Ticket> getTickets() { return this.ticketCatalog.findAll() .stream() .map(metadata -> getTicketMapInstanceByMetadata(metadata).values()) .flatMap(tickets -> { if (pageSize > 0) { return tickets.stream().limit(pageSize).collect(Collectors.toList()).stream(); } return new ArrayList<>(tickets).stream(); }) .map(this::decodeTicket) .collect(Collectors.toSet()); } Would not that be a performance issue? Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ce6a5a42-cb73-4da2-a551-b481eb63e7b9n%40apereo.org.