Access tokens not getting removed/replaced

[BrandonShega]

I have been trying to figure out why we have so many access tokens in our database and I've been looking through the code and noticed that unsetAccessToken never really gets called except for revoke and also in the setAccessToken method, the UPDATE call is never being made, it's always just inserting a new one. Is there something that I'm doing wrong to cause this to happen?

Thanks!

[gabrielgagno]

can somebody please address this? I'm having the same problem as well.

[bshaffer]

Since access tokens expire, the only way to remove them (currently) would be to run a query to clean up expired tokens. In Redis, the removal happens automatically, but for the rest of the storages this is not the case.

We could add a method to the Storage classes removeExpiredTokens or something along these lines. Then this method could be called on a cron. Would this be appropriate for your needs?

[gabrielgagno]

That would be really useful, but if I use redis, that would be enough, right?

That method would be really useful, but as for me, I will first try the Redis solution. Thanks!

[bshaffer]

Yeah, Redis will automatically remove keys after their expiration, so it's a great application for access tokens, refresh tokens, and authorization codes. You can mix-and-match storage also, and keep MySQL or whathaveyou for your other storages (client/user/etc).

[mitmelon]

The reason is because setAccessToken always create new tokens even if there are exiting ones that had not expired. You can write a help function to prevent creating a new token when there is an active onces for a client