Skip to content

Ensure ID Token is updated after refresh token #16589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 18, 2025
Merged

Ensure ID Token is updated after refresh token #16589

merged 2 commits into from
Mar 18, 2025

Conversation

yhao3
Copy link
Contributor

@yhao3 yhao3 commented Feb 13, 2025

Related issue: gh-15509

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 13, 2025
@yhao3
Copy link
Contributor Author

yhao3 commented Feb 13, 2025

Hi @sjohnr,

Could you please review this PR? I encountered this issue during development and took the opportunity to resolve it.

Thanks in advance for your time and feedback!

@sjohnr sjohnr self-assigned this Feb 14, 2025
@sjohnr sjohnr added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Feb 14, 2025
sjohnr
sjohnr suggested changes Feb 14, 2025
View reviewed changes
Copy link
Contributor

@sjohnr sjohnr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @yhao3. I have performed an initial review and noted a few issues below for you to consider.

@yhao3
Copy link
Contributor Author

yhao3 commented Feb 14, 2025

Hi @sjohnr,

Thanks for your review and suggestions! I’ve updated the implementation based on your feedback.

@sjohnr
Copy link
Contributor

sjohnr commented Feb 14, 2025

Thanks @yhao3! I'll take another look at this hopefully early next week.

@yhao3
Copy link
Contributor Author

yhao3 commented Feb 15, 2025

Hi @sjohnr,

Thanks for your response! I’ve made some additional adjustments to RefreshOidcIdTokenHandler and added tests. Looking forward to your feedback when you have a chance to review.

sjohnr added a commit to yhao3/spring-security that referenced this pull request Mar 4, 2025
@sjohnr
Polish spring-projectsgh-16589
06a4338
@sjohnr
Copy link
Contributor

sjohnr commented Mar 5, 2025

Hi @yhao3, thanks for your updates. Sorry for the delay, it took longer than I expected to work through the updates I felt were needed to get closer to merging this. I will post an update on the original issue for folks to give feedback.

@sjohnr sjohnr mentioned this pull request Mar 5, 2025
Open
@yhao3
Copy link
Contributor Author

yhao3 commented Mar 5, 2025

Hi @sjohnr,

Thanks for the update! No worries at all, I really appreciate the time and effort you’re putting into this. I’ll keep an eye on the original issue for further feedback.

filiphr
filiphr reviewed Mar 5, 2025
View reviewed changes
Copy link
Contributor

@filiphr filiphr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a good solution to solve #15509. I've only added one comment, not sure if it is relevant or not in this scenario

ch4mpy
ch4mpy reviewed Mar 10, 2025
View reviewed changes
...k/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java
* @see OAuth2AuthorizedClientRefreshedEvent
* @see OidcUserRefreshedEvent
*/
public final class OidcAuthorizedClientRefreshedEventListener
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As it listens for OAuth2AuthorizedClientRefreshedEvent shouldn't this listener be an OAuth2AuthorizedClientRefreshedEventListener?

ch4mpy
ch4mpy reviewed Mar 10, 2025
View reviewed changes
...k/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java
/**
* An {@link ApplicationListener} that listens for events of type
* {@link OAuth2AuthorizedClientRefreshedEvent} and publishes an event of type
* {@link OidcUserRefreshedEvent} in order to refresh an {@link OidcUser}.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't the listener publish OAuth2UserRefreshedEvent if the principal is an OAuth2User but not an OidcUser?

ch4mpy
ch4mpy reviewed Mar 10, 2025
View reviewed changes
...k/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java
}

// The current principal must be an OidcUser
if (!(authenticationToken.getPrincipal() instanceof OidcUser existingOidcUser)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing for OAuth2User would allow to process OAuth2 refresh token flows without OIDC

ch4mpy
ch4mpy reviewed Mar 10, 2025
View reviewed changes
...k/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java

private static final String INVALID_NONCE_ERROR_CODE = "invalid_nonce";

private OAuth2UserService<OidcUserRequest, OidcUser> userService = new OidcUserService();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typing with OidcUserRequest and OidcUser might be too narrow: the OAuth2User should be refreshed even if the provider is not configured with OIDC (calling the userinfo endpoint instead of parsing the ID token again)

@sjohnr sjohnr mentioned this pull request Mar 18, 2025
Open
yhao3 and others added 2 commits March 18, 2025 17:45
@sjohnr sjohnr enabled auto-merge (rebase) March 18, 2025 22:54
@sjohnr sjohnr added this to the 6.5.0-RC1 milestone Mar 18, 2025
@sjohnr sjohnr merged commit 5bb5d0f into spring-projects:main Mar 18, 2025
6 checks passed
@jgrandja jgrandja removed the status: waiting-for-triage An issue we've not yet triaged label Mar 24, 2025
sjohnr added a commit that referenced this pull request Mar 26, 2025
@sjohnr
Polish gh-16589
5f98ce5
sjohnr added a commit that referenced this pull request Mar 26, 2025
@sjohnr
Add additional validation when refreshing ID tokens
860f130 
Issue gh-16589
@toob2
Copy link

toob2 commented May 25, 2025
edited
Loading

@jgrandja was this fixed in 6.5.0? I'm still having this same issue after upgrading to 6.5.0

@jgrandja
Copy link
Contributor

@toob2 Yes, this is in 6.5.0

@toob2
Copy link

toob2 commented May 26, 2025
edited
Loading

@toob2 Yes, this is in 6.5.0

@jgrandja this is however still broken, can this ticket be re-opened?

@VithouJavaMaestro
Copy link

VithouJavaMaestro commented May 27, 2025
edited
Loading

Does this work with RefreshTokenReactiveOAuth2AuthorizedClientProvider? I only see a published event in the RefreshTokenOAuth2AuthorizedClientProvider class.

@jgrandja
Copy link
Contributor

@toob2

this is however still broken, can this ticket be re-opened?

I've confirmed that this fix in 6.5.0 does work.

In order for this solution to work, the RefreshTokenOAuth2AuthorizedClientProvider requires a setApplicationEventPublisher(ApplicationEventPublisher). Can you double check to ensure an ApplicationEventPublisher is set?

If you are using the default OAuth2AuthorizedClientManager @Bean then the ApplicationEventPublisher will automatically be set. However, if you are supplying your own OAuth2AuthorizedClientManager @Bean, then this might be the issue because you need to explicitly configure RefreshTokenOAuth2AuthorizedClientProvider.setApplicationEventPublisher(ApplicationEventPublisher).

@jgrandja jgrandja mentioned this pull request May 30, 2025
Open
@jgrandja
Copy link
Contributor

@VithouJavaMaestro

Does this work with RefreshTokenReactiveOAuth2AuthorizedClientProvider?

No, it hasn't been implemented yet. I've added gh-17188 to track it.

@toob2
Copy link

toob2 commented Jun 2, 2025

@toob2

this is however still broken, can this ticket be re-opened?

I've confirmed that this fix in 6.5.0 does work.

In order for this solution to work, the RefreshTokenOAuth2AuthorizedClientProvider requires a setApplicationEventPublisher(ApplicationEventPublisher). Can you double check to ensure an ApplicationEventPublisher is set?

If you are using the default OAuth2AuthorizedClientManager @Bean then the ApplicationEventPublisher will automatically be set. However, if you are supplying your own OAuth2AuthorizedClientManager @Bean, then this might be the issue because you need to explicitly configure RefreshTokenOAuth2AuthorizedClientProvider.setApplicationEventPublisher(ApplicationEventPublisher).

@jgrandja sorry I didnt mention I'm using reactive SCG, will wait for the fix, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ch4mpy ch4mpy ch4mpy left review comments

@filiphr filiphr filiphr left review comments

@sjohnr sjohnr sjohnr approved these changes

Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
6.5.0-RC1
Development

Successfully merging this pull request may close these issues.
8 participants
@yhao3 @sjohnr @toob2 @jgrandja @VithouJavaMaestro @ch4mpy @filiphr @spring-projects-issues