When authentication requests for a given client trickle in at a rate faster then the access token lifetime, oxauth will eventually become unresponsive. I have tracked down the cause of this issue to some problematic code in the GrantService which remains unchanged in Gluu 4.2 which likely also contains this issue. The following code in the GrantService is fetching the cache of all tokens for a given client, appending the newly created token and then pushing the set of tokens back to the cache with the expiration of the current token. This carries multiple issues: https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/java/org/gluu/oxauth/service/GrantService.java#L142 1. This is not an atomic operation. This causes race conditions where multiple simultaneous authentication requests for the same client will result in some of their access tokens not stored in this cache. **2. Other tokens in this cache which may have expired are placed back in the cache with the expiration of the most recent access token. Unless this hashset of tokens is allowed to expire, it will continue to grow until either a timeout is reached when fetching this cache key or the server runs out of heap space attempting to deserialize. I have encountered both.** The current workaround is to disable entry into this section of code by setting the following: UseCacheForAllImplicitFlowObjects=FALSE PersistIdTokenInLdap=TRUE PersistRefreshTokenInLdap=TRUE