Github user ilgrosso commented on the issue: https://github.com/apache/syncope/pull/70 @IsurangaPerera I don't remember the details, but what I can see from the source three is that `AccessTokenDataBinderImpl#create` is invoked in two places: 1. https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/AccessTokenLogic.java#L84 (plain login) 1. https://github.com/apache/syncope/blob/master/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L549 (SAML 2.0 login) The former provides `replaceExisting` as `false`, the latter as `true`. From the code in `AccessTokenDataBinderImpl#create` I can see that: * for plain login, JWT is generated only at first invocation * for SAML 2.0 login, JWT is generated at every invocation, and existing JWT is replaced if existing Moreover, I cannot recall exactly why the UNIQUE constraint is not imposed to AccessToken's `owner`.
---