fix(plugins/oauth2): OAuth2 token was being cached to nil while access to the wrong service first

CHANGELOG.md

@@ -174,6 +174,8 @@
   [10539](https://github.com/Kong/kong/pull/10539)
 - **Request Transformer**: honor value of untrusted_lua configuration parameter
   [#10327](https://github.com/Kong/kong/pull/10327)
+- **OAuth2**: OAuth2 token was being cached to nil while access to the wrong service first.
+  [#10522](https://github.com/Kong/kong/pull/10522)  
 
 #### PDK
 

kong/plugins/oauth2/access.lua

@@ -785,47 +785,32 @@ local function issue_token(conf)
 end
 
 
-local function load_token(conf, service, access_token)
-  local credentials, err =
-    kong.db.oauth2_tokens:select_by_access_token(access_token)
+local function load_token(access_token)
+  return kong.db.oauth2_tokens:select_by_access_token(access_token)
+end
+
 
+local function retrieve_token(conf, access_token)
+  local token_cache_key = kong.db.oauth2_tokens:cache_key(access_token)
+  local token, err = kong.cache:get(token_cache_key, nil, load_token, access_token)
   if err then
-    return nil, err
+    return error(err)
   end
-
-  if not credentials then
+  if not token then
     return
   end
 
   if not conf.global_credentials then
-    if not credentials.service then
+    if not token.service then
       return kong.response.exit(401, {
         [ERROR] = "invalid_token",
         error_description = "The access token is global, but the current " ..
-                            "plugin is configured without 'global_credentials'",
+          "plugin is configured without 'global_credentials'",
       })
     end
 
-    if credentials.service.id ~= service.id then
-      credentials = nil
-    end
-  end
-
-  return credentials
-end
-
-
-local function retrieve_token(conf, access_token)
-  local token, err
-
-  if access_token then
-    local token_cache_key = kong.db.oauth2_tokens:cache_key(access_token)
-    token, err = kong.cache:get(token_cache_key, nil,
-                                load_token, conf,
-                                kong.router.get_service(),
-                                access_token)
-    if err then
-      return error(err)
+    if token.service.id ~= kong.router.get_service().id then
+      return nil
     end
   end
 

spec/03-plugins/25-oauth2/03-access_spec.lua

@@ -3087,6 +3087,30 @@ describe("Plugin: oauth2 [#" .. strategy .. "]", function()
         assert.are.equal(7, data.expires_in)
         assert.falsy(data.refresh_token)
       end)
+      it("returns success while accessing the correct service after accessing the wrong service first", function()
+        local token = provision_token()
+
+        -- hit the wrong service first, should return 401
+        local res = assert(proxy_ssl_client:send {
+          method  = "GET",
+          path    = "/request?access_token=" .. token.access_token,
+          headers = {
+            ["Host"] = "oauth2_3.com"
+          }
+        })
+        assert.res_status(401, res)
+
+        -- hit the right service later, should return 200
+        local res = assert(proxy_ssl_client:send {
+          method  = "GET",
+          path    = "/request?access_token=" .. token.access_token,
+          headers = {
+            ["Host"] = "oauth2.com"
+          }
+        })
+        assert.res_status(200, res)
+      end)
+
       describe("Global Credentials", function()
         it("does not access two different APIs that are not sharing global credentials", function()
           local token = provision_token("oauth2_8.com")