Skip to content

Ensure ID Token is updated after refresh token #16589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 18, 2025

Conversation

yhao3
Copy link
Contributor

@yhao3 yhao3 commented Feb 13, 2025

Related issue: gh-15509

@yhao3
Copy link
Contributor Author

yhao3 commented Feb 13, 2025

Hi @sjohnr,

Could you please review this PR? I encountered this issue during development and took the opportunity to resolve it.

Thanks in advance for your time and feedback!

@sjohnr sjohnr self-assigned this Feb 14, 2025
@sjohnr sjohnr added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Feb 14, 2025
Copy link
Contributor

@sjohnr sjohnr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @yhao3. I have performed an initial review and noted a few issues below for you to consider.

@yhao3
Copy link
Contributor Author

yhao3 commented Feb 14, 2025

Hi @sjohnr,

Thanks for your review and suggestions! I’ve updated the implementation based on your feedback.

@sjohnr
Copy link
Contributor

sjohnr commented Feb 14, 2025

Thanks @yhao3! I'll take another look at this hopefully early next week.

@yhao3
Copy link
Contributor Author

yhao3 commented Feb 15, 2025

Hi @sjohnr,

Thanks for your response! I’ve made some additional adjustments to RefreshOidcIdTokenHandler and added tests. Looking forward to your feedback when you have a chance to review.

sjohnr added a commit to yhao3/spring-security that referenced this pull request Mar 4, 2025
@sjohnr
Copy link
Contributor

sjohnr commented Mar 5, 2025

Hi @yhao3, thanks for your updates. Sorry for the delay, it took longer than I expected to work through the updates I felt were needed to get closer to merging this. I will post an update on the original issue for folks to give feedback.

@yhao3
Copy link
Contributor Author

yhao3 commented Mar 5, 2025

Hi @sjohnr,

Thanks for the update! No worries at all, I really appreciate the time and effort you’re putting into this. I’ll keep an eye on the original issue for further feedback.

Copy link
Contributor

@filiphr filiphr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a good solution to solve #15509. I've only added one comment, not sure if it is relevant or not in this scenario

* @see OAuth2AuthorizedClientRefreshedEvent
* @see OidcUserRefreshedEvent
*/
public final class OidcAuthorizedClientRefreshedEventListener
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As it listens for OAuth2AuthorizedClientRefreshedEvent shouldn't this listener be an OAuth2AuthorizedClientRefreshedEventListener?

/**
* An {@link ApplicationListener} that listens for events of type
* {@link OAuth2AuthorizedClientRefreshedEvent} and publishes an event of type
* {@link OidcUserRefreshedEvent} in order to refresh an {@link OidcUser}.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't the listener publish OAuth2UserRefreshedEvent if the principal is an OAuth2User but not an OidcUser?

}

// The current principal must be an OidcUser
if (!(authenticationToken.getPrincipal() instanceof OidcUser existingOidcUser)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing for OAuth2User would allow to process OAuth2 refresh token flows without OIDC


private static final String INVALID_NONCE_ERROR_CODE = "invalid_nonce";

private OAuth2UserService<OidcUserRequest, OidcUser> userService = new OidcUserService();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typing with OidcUserRequest and OidcUser might be too narrow: the OAuth2User should be refreshed even if the provider is not configured with OIDC (calling the userinfo endpoint instead of parsing the ID token again)

yhao3 and others added 2 commits March 18, 2025 17:45
@sjohnr sjohnr enabled auto-merge (rebase) March 18, 2025 22:54
@sjohnr sjohnr added this to the 6.5.0-RC1 milestone Mar 18, 2025
@sjohnr sjohnr merged commit 5bb5d0f into spring-projects:main Mar 18, 2025
6 checks passed
@jgrandja jgrandja removed the status: waiting-for-triage An issue we've not yet triaged label Mar 24, 2025
sjohnr added a commit that referenced this pull request Mar 26, 2025
sjohnr added a commit that referenced this pull request Mar 26, 2025
@toob2
Copy link

toob2 commented May 25, 2025

@jgrandja was this fixed in 6.5.0? I'm still having this same issue after upgrading to 6.5.0

@jgrandja
Copy link
Contributor

@toob2 Yes, this is in 6.5.0

@toob2
Copy link

toob2 commented May 26, 2025

@toob2 Yes, this is in 6.5.0

@jgrandja this is however still broken, can this ticket be re-opened?

@VithouJavaMaestro
Copy link

VithouJavaMaestro commented May 27, 2025

Does this work with RefreshTokenReactiveOAuth2AuthorizedClientProvider? I only see a published event in the RefreshTokenOAuth2AuthorizedClientProvider class.

@jgrandja
Copy link
Contributor

@toob2

this is however still broken, can this ticket be re-opened?

I've confirmed that this fix in 6.5.0 does work.

In order for this solution to work, the RefreshTokenOAuth2AuthorizedClientProvider requires a setApplicationEventPublisher(ApplicationEventPublisher). Can you double check to ensure an ApplicationEventPublisher is set?

If you are using the default OAuth2AuthorizedClientManager @Bean then the ApplicationEventPublisher will automatically be set. However, if you are supplying your own OAuth2AuthorizedClientManager @Bean, then this might be the issue because you need to explicitly configure RefreshTokenOAuth2AuthorizedClientProvider.setApplicationEventPublisher(ApplicationEventPublisher).

@jgrandja
Copy link
Contributor

@VithouJavaMaestro

Does this work with RefreshTokenReactiveOAuth2AuthorizedClientProvider?

No, it hasn't been implemented yet. I've added gh-17188 to track it.

@toob2
Copy link

toob2 commented Jun 2, 2025

@toob2

this is however still broken, can this ticket be re-opened?

I've confirmed that this fix in 6.5.0 does work.

In order for this solution to work, the RefreshTokenOAuth2AuthorizedClientProvider requires a setApplicationEventPublisher(ApplicationEventPublisher). Can you double check to ensure an ApplicationEventPublisher is set?

If you are using the default OAuth2AuthorizedClientManager @Bean then the ApplicationEventPublisher will automatically be set. However, if you are supplying your own OAuth2AuthorizedClientManager @Bean, then this might be the issue because you need to explicitly configure RefreshTokenOAuth2AuthorizedClientProvider.setApplicationEventPublisher(ApplicationEventPublisher).

@jgrandja sorry I didnt mention I'm using reactive SCG, will wait for the fix, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants