fix: [Connectivity] Change default token cache duration to 1hr (SAP#861)

Co-authored-by: Roshin Rajan Panackal <[email protected]>
Co-authored-by: Matthias Kuhr <[email protected]>

Author: rpanackal

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java

@@ -3,6 +3,7 @@
 import static com.sap.cloud.security.xsuaa.util.UriUtil.expandPath;
 
 import java.net.URI;
+import java.time.Duration;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
@@ -39,6 +40,7 @@
 import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
 import com.sap.cloud.security.xsuaa.client.OAuth2TokenResponse;
 import com.sap.cloud.security.xsuaa.client.OAuth2TokenService;
+import com.sap.cloud.security.xsuaa.tokenflows.TokenCacheConfiguration;
 
 import io.vavr.CheckedFunction0;
 import io.vavr.control.Try;
@@ -101,8 +103,10 @@ OAuth2TokenService getTokenService( @Nullable final String tenantId )
     @Nonnull
     private OAuth2TokenService createTokenService( @Nonnull final CacheKey ignored )
     {
+        final var tokenCacheConfiguration =
+            TokenCacheConfiguration.getInstance(Duration.ofHours(1), 1000, Duration.ofSeconds(30), false);
         if( !(identity instanceof ZtisClientIdentity) ) {
-            return new DefaultOAuth2TokenService(HttpClientFactory.create(identity));
+            return new DefaultOAuth2TokenService(HttpClientFactory.create(identity), tokenCacheConfiguration);
         }
 
         final DefaultHttpDestination destination =
@@ -115,7 +119,9 @@ private OAuth2TokenService createTokenService( @Nonnull final CacheKey ignored )
                 .keyStore(((ZtisClientIdentity) identity).getKeyStore())
                 .build();
         try {
-            return new DefaultOAuth2TokenService((CloseableHttpClient) HttpClientAccessor.getHttpClient(destination));
+            return new DefaultOAuth2TokenService(
+                (CloseableHttpClient) HttpClientAccessor.getHttpClient(destination),
+                tokenCacheConfiguration);
         }
         catch( final ClassCastException e ) {
             final String msg =
@@ -214,6 +220,10 @@ private void setAppTidInCaseOfIAS( @Nullable final String tenantId )
             // the IAS property supplier will have set this to the provider ID by default
             // we have to override it here to match the current tenant, if the current tenant is defined
             additionalParameters.put("app_tid", tenantId);
+            if( onBehalfOf == OnBehalfOf.NAMED_USER_CURRENT_TENANT ) {
+                // workaround until a fix is provided by IAS
+                additionalParameters.put("refresh_token", "0");
+            }
         }
     }
 

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2ServiceTest.java

@@ -226,6 +226,7 @@ void testSubdomainTenantStrategy()
                     1,
                     postRequestedFor(urlEqualTo("/oauth/token"))
                         .withRequestBody(containing("app_tid=tenant"))
+                        .withRequestBody(containing("refresh_token=0"))
                         .withRequestBody(
                             containing("grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer".replace(":", "%3A")))
                         .withRequestBody(containing("assertion=" + token)));

release_notes.md

@@ -16,9 +16,11 @@
 
 ### 📈 Improvements
 
-- 
+- Relax OAuth2 token cache duration to 1hr to avoid unnecessary token refreshes.
+- Disable refresh tokens when obtaining user tokens from IAS.
+  This acts as a workaround for a limitation of IAS, where obtaining a refresh token invalidates the original token.
 
 ### 🐛 Fixed Issues
 
 - OData v2 and OData v4: Fixes eager HTTP response evaluation for _Create_, _Update_, and _Delete_ request builders in convenience APIs.
-  Previous change of `5.20.0` may have resulted in the HTTP connection being left open after the request was executed.
+  Previous change of `5.20.0` may have resulted in the HTTP connection being left open after the request was executed.