From e092c78acb1a6e3cd777f9adf75c3d1984fc1893 Mon Sep 17 00:00:00 2001
From: Daniel Garnier-Moiroux <daniel.garnier-moiroux@broadcom.com>
Date: Thu, 5 Feb 2026 15:31:29 +0100
Subject: [PATCH] Fix client credentials grant token invalidation

- Fixes gh-1335
- Cherry-picked from 5.x.x branch (6c81106cb75faf2bd30eebd5232fbc9469eff6ab)

Signed-off-by: Daniel Garnier-Moiroux <daniel.garnier-moiroux@broadcom.com>
---
 .../reactor/tokenprovider/AbstractUaaTokenProvider.java     | 2 +-
 .../tokenprovider/_ClientCredentialsGrantTokenProvider.java | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/AbstractUaaTokenProvider.java b/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/AbstractUaaTokenProvider.java
index 6cfc85a486..10e34a4b0b 100644
--- a/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/AbstractUaaTokenProvider.java
+++ b/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/AbstractUaaTokenProvider.java
@@ -74,7 +74,7 @@ public abstract class AbstractUaaTokenProvider implements TokenProvider {
 
     private static final ZoneId UTC = ZoneId.of("UTC");
 
-    private final ConcurrentMap<ConnectionContext, Mono<String>> accessTokens =
+    protected final ConcurrentMap<ConnectionContext, Mono<String>> accessTokens =
             new ConcurrentHashMap<>(1);
 
     private final ConcurrentMap<ConnectionContext, RefreshToken> refreshTokenStreams =
diff --git a/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/_ClientCredentialsGrantTokenProvider.java b/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/_ClientCredentialsGrantTokenProvider.java
index bd7a7061db..2bbbbaa101 100644
--- a/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/_ClientCredentialsGrantTokenProvider.java
+++ b/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/_ClientCredentialsGrantTokenProvider.java
@@ -16,6 +16,7 @@
 
 package org.cloudfoundry.reactor.tokenprovider;
 
+import org.cloudfoundry.reactor.ConnectionContext;
 import org.cloudfoundry.reactor.TokenProvider;
 import org.immutables.value.Value;
 import reactor.netty.http.client.HttpClientForm;
@@ -36,4 +37,9 @@ void tokenRequestTransformer(HttpClientRequest request, HttpClientForm form) {
             .attr("response_type", "token");
     }
 
+    @Override
+    public void invalidate(ConnectionContext connectionContext) {
+        this.accessTokens.remove(connectionContext);
+    }
+
 }