OAuth2Authorization will exist in redis when refresh_token expired

[wzkris]

Describe the bug
When using Redis to store OAuth2Authorization and setting reuseRefreshTokens to true, when your refresh token is about to expire, call the refresh endpoint. The expiration time of OAuth2Authorization will be reset, but the expiration time of the refresh token remains unchanged. At this point, if the time exceeds the expiration time of the refresh token, the server will deny access, but OAuth2Authorization still exists in Redis.

To Reproduce

1. Use the official redis store code
2. Set TokenSettings#reuseRefreshTokens to true
3. When the refresh token is about to expire, call the /oauth2/token grant_type=refresh_token endpoint

Expected behavior
The refresh token expires at the same time as the OAuth2Authorization lives.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.

[jgrandja]

@wzkris

if the time exceeds the expiration time of the refresh token, the server will deny access, but OAuth2Authorization still exists in Redis

Correct. The OAuth2Authorization will still exist in the backing store even if all tokens are expired. This is the expected behaviour. Please see this comment and this comment for further context.