Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support refresh token for Token Exchange #15534

Closed
icruces opened this issue Aug 7, 2024 · 6 comments
Closed

Support refresh token for Token Exchange #15534

icruces opened this issue Aug 7, 2024 · 6 comments
Assignees
@sjohnr
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
6.4.0-RC1

Comments

@icruces
Copy link

icruces commented Aug 7, 2024
edited
Loading

I have recently integrated Token Exchange into my project as I need to perform long-lived background tasks on behalf of the user. It exchanges the original access token from the user authentication for another with offline_access, which needs to be refreshed periodically (Keycloak).

Unfortunately, the current implementation of TokenExchangeOAuth2AuthorizedClientProvider doesn't support the refresh_token token type.

I managed to implement a custom version of the Token Exchange provider to support this and make it compatible with the Refresh Token provider, but It would be good to have it built in Spring Security as it is a common case.
@icruces icruces added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Aug 7, 2024
@sjohnr sjohnr self-assigned this Sep 18, 2024
@sjohnr
Copy link
Member

sjohnr commented Sep 18, 2024
edited
Loading

@icruces, thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Having said that, I wonder if you are using an AuthorizedClientServiceOAuth2AuthorizedClientManager composed of TokenExchangeOAuth2AuthorizedClientProvider and RefreshTokenOAuth2AuthorizedClientProvider? I'm going to close this issue, but feel free to add additional comments.

@sjohnr sjohnr closed this as completed Sep 18, 2024
@sjohnr sjohnr added for: stackoverflow A question that's better suited to stackoverflow.com and removed status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Sep 18, 2024
@icruces
Copy link
Author

icruces commented Sep 18, 2024

@sjohnr thanks for reply. I was actually asking for an enhancement. The TokenExchangeOAuth2AuthorizedClientProvider is not compatible with RefreshTokenOAuth2AuthorizedClientProvider as OAuth2AuthorizedClient created by the former doesn't store the refresh token in the new OAuth2AuthorizedClient:

        // TokenExchangeOAuth2AuthorizedClientProvider source code
        @Override
        @Nullable
	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
		...
                ...
                // tokenResponse.getRefreshToken() is not passed to the constructor so it is discarded

		return new OAuth2AuthorizedClient(clientRegistration, context.getPrincipal().getName(),
				tokenResponse.getAccessToken());
	}

@sjohnr
Copy link
Member

sjohnr commented Sep 18, 2024

Hi @icruces. I'm not able to determine from the information you've provided whether you have tried setting things up correctly to have refresh tokens work. They should work if you are using OAuth2AuthorizedClientManager correctly. At the current time I don't believe the enhancement is needed and suspect that things are not set up correctly on your end. If you can provide a minimal example that demonstrates what you've tried, I will be able to either suggest what you are missing, or determine where an enhancement is required and we can go from there.

@sjohnr
Copy link
Member

sjohnr commented Sep 19, 2024

@icruces thank you for bringing this up. I see in the spec (Section 2.2.1) that refresh tokens can be returned in offline access scenarios. I see what you are saying and am reopening this issue.

@sjohnr sjohnr reopened this Sep 19, 2024
@sjohnr sjohnr added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed for: stackoverflow A question that's better suited to stackoverflow.com labels Sep 19, 2024
@sjohnr sjohnr moved this to Planning in Spring Security Team Sep 19, 2024
@icruces
Copy link
Author

icruces commented Sep 19, 2024

@sjohnr Sounds great. Sorry, maybe I didn't express myself very well in English.

@sjohnr
Copy link
Member

sjohnr commented Sep 19, 2024

Not at all. I read your first comment and didn't get the point, but your second comment made the point, I just didn't read it carefully enough.

@sjohnr sjohnr moved this from Planning to In Progress in Spring Security Team Sep 27, 2024
@sjohnr sjohnr closed this as completed in 9ba2435 Sep 27, 2024
@sjohnr sjohnr moved this from In Progress to Done in Spring Security Team Sep 30, 2024
@sjohnr sjohnr added this to the 6.4.0-RC1 milestone Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.4.0-RC1
Development

No branches or pull requests
2 participants
@icruces @sjohnr