Github user ilgrosso commented on the issue:
    @IsurangaPerera I don't remember the details, but what I can see from the 
source three is that `AccessTokenDataBinderImpl#create` is invoked in two 
 (plain login)
 (SAML 2.0 login)
    The former provides `replaceExisting` as `false`, the latter as `true`.
    From the code in `AccessTokenDataBinderImpl#create` I can see that:
    * for plain login, JWT is generated only at first invocation
    * for SAML 2.0 login, JWT is generated at every invocation, and existing 
JWT is replaced if existing
    Moreover, I cannot recall exactly why the UNIQUE constraint is not imposed 
to AccessToken's `owner`.


Reply via email to