I plan to use the Spring Security OAuth infrastructure as the base of the OAUTH2 authorization server with access tokens, token updates, and codes.
By default, the structure uses java serialization to store additional authentication data (column identification) in the oauth_code, oauth_access_token, and oauth_refresh_token database tables.
I would like to start a discussion to find out the pros and cons of this approach, and I am interested to know if there are plans to change this.
minuses:
- updating the framework version is not possible if the new version cannot deserialize data from the previous version
- unnecessary data: blob may contain data that is not needed at all (for example, the original request).
- sensitive data: blob may contain sensitive data such as user credentials
- data redundancy: data is stored 3 times for the tables listed above.
- data analysis: authentication data cannot be selected using simple SQL statements
pros:
- Expansion
- : Data can be expanded without migrating the schema in a simple way (useful to start from scratch).
Alternatives to "blob":
- store authentication data in a separate table (for example, oauth_authentication) with data columns for each necessary information (for example, user ID, client ID, areas and ...) and a foreign key from oauth_code, oauth_access_token and oauth_refresh_token.
What could be the negative consequences of an alternative?
Many thanks!
source
share