Description
Expected Behavior
Only save the client credentials token once in the InMemoryOAuth2AuthorizedClientService.
Current Behavior
The jwt token is saved for every principal (every user) in the InMemoryOAuth2AuthorizedClientService resulting in a memory leak.
Context
I’m developing a service which is both a resource server and a client to other http APIs.
I’m using spring boot and by extension : spring security and webclient.
I use client credentials when it comes to communicating with other APIs
My application had a memory leak issue and I found out that it was because I was using an InMemoryOAuth2AuthorizedClientService since it’s the default that comes with spring boot (documented here : https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#web.security.oauth2.client and not recommended)
The way the OAuth2AuthorizedClientService behaves in my app is that it will save for every principal (meaning every user) that comes from my controller a new jwt token retrieved with the client credentials configuration. It results in a memory leak since it saves this in memory.
Is this behavior on purpose ? What is the concept behind it that is probably out of my sight ?
The only clean alternatives I saw documented was to use a JdbcOAuth2AuthorizedClientService which is pretty heavy. Is there other alternatives ?
Thank you