Hi, when using OAuthProvider is there a way to configure it so that the filter validates the (previously) "persisted" token? (e.g. token received from a secure cookie) From what I can see it just seems to check whether there is a non-null token, then is happy to continue the filter chain, what am I missing?

traditionally this is done in the retrieveToken call in the OauthPersistence.

Oh I see, not ideal though since the persistence layer now has to know also how to verify signatures and all other stuff. Trade offs 🙂

that object is also the one that retrieves and assigns the token, so at the time it was probably the easiest place. the security module isn't the easiest one to use tbh 🤷 (although if you've ever tried spring security... 😂 )