The code to make sure a token was passed in is there, but OAuthConsumer#setTokenWithSecret(...) is never called.
This was masked by GRAILSPLUGINS-2437 because calling OAuthProvider#retrieveAccessToken(...) (from OauthService#fetchAccessToken(...)) set the access token on the OAuthConsumer for us.
However, there were cases where OauthService#accessResource(...) would break:
- In development mode, any reload of OauthService would re-create the OAuthConsumer objects, causing the OAuthConsumer to not have an access key set (causing authentication failures).
In addition, I believe – but have not confirmed – that the following cases also cause issues:
- If you reload your app and try to call OauthService#accessResource() with a previously-persisted access token/secret, authentication would fail (because OAuthConsumer was only having its token set during the initial fetching of request/access tokens. App reloads would cause OAuthConsumer to not have a access token/secret)
- If one user walks through the authentication process (causing the access token to be set for us by OAuthProvider#retrieveAccessToken), then a second user walks through the authentication process, the OAuthConsumer's access key would be set to the second user's access key. All calls to accessResource() by the first user would then use the second user's authentication token/secret.