Show the use of token properties in authorization server clients configuration example

[OrangeDog]

Spring Authorization Server allows defining per-client token settings.
spring-projects/spring-authorization-server#1385 (comment)

However, Boot's OAuth2AuthorizationServerProperties does not expose this. I'd like to see something like this:

spring.security.oauth2.authorizationserver.client:
  my-client:
    client-id: 41fd9212-dc6f-4ced-a7a8-e6431a3f49da
    client-secret: '{noop}secret'
    tokens:
      authorization-code-time-to-live: 5m
      access-token-time-to-live: 10m
      access-token-format: reference
      reuse-refresh-tokens: false
      refresh-token-time-to-live: 28d

Possibly an ability to set a default for all clients too.

[wilkinsona]

As far as I can tell, we already have the per-client properties:

spring-boot/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java

Lines 459 to 488 in 05a9521

	/**
	* Time-to-live for an authorization code.
	*/
	private Duration authorizationCodeTimeToLive = Duration.ofMinutes(5);
	/**
	* Time-to-live for an access token.
	*/
	private Duration accessTokenTimeToLive = Duration.ofMinutes(5);
	/**
	* Token format for an access token.
	*/
	private String accessTokenFormat = "self-contained";
	/**
	* Time-to-live for a device code.
	*/
	private Duration deviceCodeTimeToLive = Duration.ofMinutes(5);
	/**
	* Whether refresh tokens are reused or a new refresh token is issued when
	* returning the access token response.
	*/
	private boolean reuseRefreshTokens = true;
	/**
	* Time-to-live for a refresh token.
	*/
	private Duration refreshTokenTimeToLive = Duration.ofMinutes(60);

The yaml to configure them would be something like this:

spring.security.oauth2.authorizationserver.client:
  my-client:
    token:
      authorization-code-time-to-live: 5m
      access-token-time-to-live: 10m
      access-token-format: reference
      reuse-refresh-tokens: false
      refresh-token-time-to-live: 28d

The metadata and documentation for them is lacking at the moment. #9945 will help with that in time.

[OrangeDog]

Ah I see, that's good news.
For some reason, my IDE (IDEA Ultimate) knows about the other client properties, but not token.

[wilkinsona]

I would report that to Jetbrains. As I understand it, they do not use the metadata but instead introspect the types to which the properties are bound. As such, I'd expect IDEA ultimate to be able to offer auto-complete for the token properties.

[wilkinsona]

We can improve the documentation by adding the token properties to the example in this existing section.

[wilkinsona]

#45019 has addressed this but only on main. We can use this issue to back port the changes to 3.3.x and 3.4.x.