Add Clock support to OAuth2Authorization#19414
Open
Dawid01 wants to merge 1 commit into
Open
Conversation
Closes spring-projectsgh-19413 Signed-off-by: Dawid Szczepaniak <dawidszczepaniak55@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes gh-19413
Summary
Adds support for configuring a custom
java.time.ClockonOAuth2AuthorizationviaOAuth2Authorization.Builder#clock(Clock), so thatToken#isExpired()and#isBeforeUse()evaluate against the injectedClockinstead of always relying on the system clock.Expected Behavior
It should be possible to configure a custom
java.time.ClockonOAuth2Authorization(viaOAuth2Authorization.Builder), so thatToken#isExpired(),#isBeforeUse(), and#isActive()evaluate against the injectedClockinstead of the system clock.Current Behavior (before this change)
OAuth2Authorization.Token#isExpired()and#isBeforeUse()compared token timestamps (expiresAt,nbfclaim) directly againstInstant.now()/ the system clock, with no way to override this externally.Context
Writing deterministic tests for token expiry, not-yet-valid (
nbf), and revocation/refresh flows previously required eitherThread.sleep(...), constructing tokens with timestamps computed relative toInstant.now()at test-build time, or mocking static methods — all of which are brittle or awkward. Injecting aClockmakes these scenarios reproducible and independent of wall-clock time.Changes
OAuth2Authorization.Builder#clock(Clock)to allow configuring a customClock.OAuth2Authorization.Tokennow uses the configuredClock(defaulting toClock.systemDefaultZone()when not set) inisExpired()andisBeforeUse().OAuth2Authorization.from(...)propagates the configuredClockto the newBuilderwhen copying an existing authorization.OAuth2AuthorizationTokenMixinfor Jackson serialization support.nbf) handling, and default clock behavior.