@Test void validateOldTokenAfterDeleteClientSecret() throws Exception { String clientId = "testclient" + generator.generate(); String scopes = "space.*.developer,space.*.admin,org.*.reader,org.123*.admin,*.*,*"; setUpClients(clientId, scopes, scopes, GRANT_TYPES, true); String body = mockMvc.perform(post("/oauth/token") .accept(MediaType.APPLICATION_JSON_VALUE) .with(httpBasic(clientId, SECRET)) .param("grant_type", "client_credentials") .param("client_id", clientId) .param("client_secret", SECRET)) .andExpect(status().isOk()) .andReturn().getResponse().getContentAsString(); Map<String, Object> bodyMap = JsonUtils.readValue(body, new TypeReference<Map<String, Object>>() { }); String access_token = (String) bodyMap.get("access_token"); assertNotNull(access_token); clientDetailsService.addClientSecret(clientId, "newSecret", IdentityZoneHolder.get().getId()); clientDetailsService.deleteClientSecret(clientId, IdentityZoneHolder.get().getId()); MockHttpServletResponse response = mockMvc.perform(post("/check_token") .header("Authorization", "Basic " + new String(Base64.encode("app:appclientsecret".getBytes()))) .param("token", access_token)) .andExpect(status().isBadRequest()) .andReturn().getResponse(); InvalidTokenException tokenRevokedException = JsonUtils.readValue(response.getContentAsString(), TokenRevokedException.class); assertEquals("invalid_token", tokenRevokedException.getOAuth2ErrorCode()); assertEquals("revocable signature mismatch", tokenRevokedException.getMessage()); }