From f0c92a15d6dff085a60887bc0b4fb85e50463f1f Mon Sep 17 00:00:00 2001
From: Douglas Lee <leeys.top@gmail.com>
Date: Mon, 20 Mar 2023 14:49:40 +0800
Subject: [PATCH 1/4] fix(plugin/oauth2): oauth2 token was being cached to nil
 while access to the wrong service first

---
 kong/plugins/oauth2/access.lua               | 45 ++++++++------------
 spec/03-plugins/25-oauth2/03-access_spec.lua | 24 +++++++++++
 2 files changed, 41 insertions(+), 28 deletions(-)

diff --git a/kong/plugins/oauth2/access.lua b/kong/plugins/oauth2/access.lua
index 2c47fd12ed2b..9b7c75f499bd 100644
--- a/kong/plugins/oauth2/access.lua
+++ b/kong/plugins/oauth2/access.lua
@@ -785,47 +785,36 @@ local function issue_token(conf)
 end
 
 
-local function load_token(conf, service, access_token)
-  local credentials, err =
-    kong.db.oauth2_tokens:select_by_access_token(access_token)
+local function load_token(access_token)
+  return kong.db.oauth2_tokens:select_by_access_token(access_token)
+end
 
-  if err then
-    return nil, err
+
+local function retrieve_token(conf, access_token)
+  if not access_token then
+    return
   end
 
-  if not credentials then
+  local token_cache_key = kong.db.oauth2_tokens:cache_key(access_token)
+  local token, err = kong.cache:get(token_cache_key, nil, load_token, access_token)
+  if err then
+    return error(err)
+  end
+  if not token then
     return
   end
 
   if not conf.global_credentials then
-    if not credentials.service then
+    if not token.service then
       return kong.response.exit(401, {
         [ERROR] = "invalid_token",
         error_description = "The access token is global, but the current " ..
-                            "plugin is configured without 'global_credentials'",
+          "plugin is configured without 'global_credentials'",
       })
     end
 
-    if credentials.service.id ~= service.id then
-      credentials = nil
-    end
-  end
-
-  return credentials
-end
-
-
-local function retrieve_token(conf, access_token)
-  local token, err
-
-  if access_token then
-    local token_cache_key = kong.db.oauth2_tokens:cache_key(access_token)
-    token, err = kong.cache:get(token_cache_key, nil,
-                                load_token, conf,
-                                kong.router.get_service(),
-                                access_token)
-    if err then
-      return error(err)
+    if token.service.id ~= kong.router.get_service().id then
+      return nil
     end
   end
 
diff --git a/spec/03-plugins/25-oauth2/03-access_spec.lua b/spec/03-plugins/25-oauth2/03-access_spec.lua
index c8095b93ab82..b0e0f0b1a6cb 100644
--- a/spec/03-plugins/25-oauth2/03-access_spec.lua
+++ b/spec/03-plugins/25-oauth2/03-access_spec.lua
@@ -3087,6 +3087,30 @@ describe("Plugin: oauth2 [#" .. strategy .. "]", function()
         assert.are.equal(7, data.expires_in)
         assert.falsy(data.refresh_token)
       end)
+      it("test", function()
+        local token = provision_token()
+
+        -- hit the wrong service first, should return 401
+        local res = assert(proxy_ssl_client:send {
+          method  = "GET",
+          path    = "/request?access_token=" .. token.access_token,
+          headers = {
+            ["Host"] = "oauth2_3.com"
+          }
+        })
+        assert.res_status(401, res)
+
+        -- hit the right service later, should return 200
+        local res = assert(proxy_ssl_client:send {
+          method  = "GET",
+          path    = "/request?access_token=" .. token.access_token,
+          headers = {
+            ["Host"] = "oauth2.com"
+          }
+        })
+        assert.res_status(200, res)
+      end)
+
       describe("Global Credentials", function()
         it("does not access two different APIs that are not sharing global credentials", function()
           local token = provision_token("oauth2_8.com")

From f12e3edb479689632360000fbe8defe8a9bbd721 Mon Sep 17 00:00:00 2001
From: Douglas Lee <leeys.top@gmail.com>
Date: Mon, 20 Mar 2023 14:52:42 +0800
Subject: [PATCH 2/4] add entry

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0e3ca8ce2b83..f97c08071ddf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -124,6 +124,10 @@
 - Fix an issue where empty value of URI argument `custom_id` crashes `/consumer`.
   [#10475](https://github.com/Kong/kong/pull/10475)
 
+#### Plugins
+- **OAuth2**: OAuth2 token was being cached to nil while access to the wrong service first.
+  [#10522](https://github.com/Kong/kong/pull/10522)
+
 ### Changed
 
 #### Core

From bb0eb80c075fa2053845401777b0e97d2bc8503c Mon Sep 17 00:00:00 2001
From: Douglas Lee <leeys.top@gmail.com>
Date: Tue, 21 Mar 2023 11:28:43 +0800
Subject: [PATCH 3/4] adjust for code review

---
 kong/plugins/oauth2/access.lua               | 4 ----
 spec/03-plugins/25-oauth2/03-access_spec.lua | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/kong/plugins/oauth2/access.lua b/kong/plugins/oauth2/access.lua
index 9b7c75f499bd..2f4c0b93b80b 100644
--- a/kong/plugins/oauth2/access.lua
+++ b/kong/plugins/oauth2/access.lua
@@ -791,10 +791,6 @@ end
 
 
 local function retrieve_token(conf, access_token)
-  if not access_token then
-    return
-  end
-
   local token_cache_key = kong.db.oauth2_tokens:cache_key(access_token)
   local token, err = kong.cache:get(token_cache_key, nil, load_token, access_token)
   if err then
diff --git a/spec/03-plugins/25-oauth2/03-access_spec.lua b/spec/03-plugins/25-oauth2/03-access_spec.lua
index b0e0f0b1a6cb..4f6d048339b7 100644
--- a/spec/03-plugins/25-oauth2/03-access_spec.lua
+++ b/spec/03-plugins/25-oauth2/03-access_spec.lua
@@ -3087,7 +3087,7 @@ describe("Plugin: oauth2 [#" .. strategy .. "]", function()
         assert.are.equal(7, data.expires_in)
         assert.falsy(data.refresh_token)
       end)
-      it("test", function()
+      it("returns success while accessing the correct service after accessing the wrong service first", function()
         local token = provision_token()
 
         -- hit the wrong service first, should return 401

From 1665d3024fe62b5399d68bc71e1d33709dd20b48 Mon Sep 17 00:00:00 2001
From: "Qirui(Keery) Nie" <windmgc@gmail.com>
Date: Sun, 9 Apr 2023 16:54:57 +0800
Subject: [PATCH 4/4] Update CHANGELOG.md

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7daf5ae79345..bb31f0fa7cdb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -174,7 +174,7 @@
   [10539](https://github.com/Kong/kong/pull/10539)
 - **Request Transformer**: honor value of untrusted_lua configuration parameter
   [#10327](https://github.com/Kong/kong/pull/10327)
-- **OAuth2**: OAuth2 token was being cached to nil while access to the wrong service first.
+- **OAuth2**: fix an issue that OAuth2 token was being cached to nil while access to the wrong service first.
   [#10522](https://github.com/Kong/kong/pull/10522)  
 
 #### PDK