(cxf) branch 4.1.x-fixes updated: Synchronize access token refresh when refresh tokens aren't recycled (#3133)

Fri, 22 May 2026 01:44:33 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 4.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/4.1.x-fixes by this push:
     new 9c214771a96 Synchronize access token refresh when refresh tokens 
aren't recycled (#3133)
9c214771a96 is described below

commit 9c214771a960cbb6303113149ffc7b964194c42c
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Fri May 22 09:43:49 2026 +0100

    Synchronize access token refresh when refresh tokens aren't recycled (#3133)
    
    (cherry picked from commit 013cf51c68dfdfbc1290edeb71c9ef4aef4d4a22)
---
 .../rs/security/oauth2/provider/AbstractOAuthDataProvider.java | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 8daef5e8839..d43e44916b1 100644
--- 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -224,6 +224,16 @@ public abstract class AbstractOAuthDataProvider implements 
OAuthDataProvider, Cl
     @Override
     public ServerAccessToken refreshAccessToken(Client client, String 
refreshTokenKey,
                                                 List<String> restrictedScopes) 
throws OAuthServiceException {
+        if (!recycleRefreshTokens) {
+            synchronized (refreshTokenLock) {
+                return doRefreshAccessToken(client, refreshTokenKey, 
restrictedScopes);
+            }
+        }
+        return doRefreshAccessToken(client, refreshTokenKey, restrictedScopes);
+    }
+
+    private ServerAccessToken doRefreshAccessToken(Client client, String 
refreshTokenKey,
+                                                   List<String> 
restrictedScopes) {
         RefreshToken currentRefreshToken = recycleRefreshTokens
             ? revokeRefreshToken(client, refreshTokenKey) : 
getRefreshToken(refreshTokenKey);
         if (currentRefreshToken == null) {

Reply via email to