I have a bare-bones spring authorization server example up and running, and I have wired in jdbc-based user, client and authorization persistence.
So I am reading through the code, and around about the bit of the authorization code provider that invalidates a code that has been used there is a race condition if the database runs with autocommit on - it is conceivable that another thread might get to read a valid token in between the if test checking if the authorization code is valid and persisting an invalid state. AFAICT the only way to avoid this kind of race condition is to properly demarcate transaction boundaries to ensure atomic operation.
I have set hikari.auto-commit: false in my application config and confirmed that my previously working tests started failing.
I tried to find something in the documentation about how you would like users to approach transactions, but I haven't found anything. Some guidance would be appreciated?