Jmix 1.6.2 - over 200K records in oauth tables

robert.gilbert · January 23, 2025, 8:06pm

I am using Jmix 1.6.2 and Jmix Studio 2.4.2-242

I have a Jmix web app and wondering why I am seeing so many records in the following oauth tables:
oauth_access_token (238,974 records)
oauth_refresh_token (240,056 records)

each of those tables are over 2G of space in the database.

I have a mobile component that connects to my Jmix data via REST API
But now I am wondering why are those tables so large ?

I DO NOT have the following properties in ‘application.properties’ set:
jmix.security.oauth2.client-token-expiration-time-sec
jmix.security.oauth2.client-refresh-token-expiration-time-sec

If those properties expire tokens, then why do my tables keep building up ? They never decrease even though I am sure they have default values.
I have around 200 active user sessions .

Any ideas ? Please help me and thanks

i.gavrilov · January 27, 2025, 9:23am

Hi Robert.

It’s looks like Spring is unable to bulk remove those tokens from jdbc store. At least because expiration date doesn’t exist as a separate column but built into serialized object.
It removes/replaces expired token then works with it directly.

How many unique users do you have?

Regards,
Ivan

i.gavrilov · January 27, 2025, 2:07pm

Found out that the current behavior actually generates tokens over and over without being able to remove it properly.

Existing token can’t be recycled by Spring because it can’t be found (due to unique ID generation).
Bulk cleanup via sql request is not available because of the table structure provided by Spring.

More details in created issue: Application generates oauth tokens without proper cleanup · Issue #4120 · jmix-framework/jmix · GitHub

Regards,
Ivan

robert.gilbert · January 29, 2025, 11:32pm

Thanks Ivan for that information !