Description
Describe the bug
The first time you get an OAuth2 token (or after the token expires), if several requests are processed at the same time, several requests are made to the /oauth2/token service.
This is caused because of a race condition.
The condition to request a new token is to check if the token does not exists in the cache yet or if the token is expired. After that the request is made. And then the token is cached.
So if more than one thread see that the token is expired (or doesn't exists yet), more than request to /oauth2/token is made and the cached token is overwritten.
This bug causes a performance problem because it can saturate the OAuth2 server, but also it can produce timeouts getting the OAuth2 if a firewall detects the multiple requests to the /oauth2/token endpoint with the same payload and decides to block that request.
To Reproduce
You can reproduce this behaviour either with a integration test or with a performance test.
If you run a performance test with for example 100 request per second, and the /oauth2/token endpoint takes 1 second to return a response, you will see that when the token expires 100 request are made to the /oauth2/token endpoint.
Expected behavior
Only one request to the /oauth2/token endpoint is made.
Sample
You can find the sample is this repository: https://github.com/System25/spring-oauth2-client-credentials-webclient/tree/parallel_oauth2_problem
It contains 2 tests:
- A happy path test with 10 request one after another that does only 1 request to the /oauth/token endpoint
- A test to show the error that makes 10 request in parallel and the test fails because more than one request to the /oauth/token endpoint is made.