Ensure ID Token is updated after refresh token

[yhao3]

Related issue: gh-15509

[yhao3]

Hi @sjohnr,

Could you please review this PR? I encountered this issue during development and took the opportunity to resolve it.

Thanks in advance for your time and feedback!

[sjohnr]

Thanks for the PR @yhao3. I have performed an initial review and noted a few issues below for you to consider.

[yhao3]

Hi @sjohnr,

Thanks for your review and suggestions! I’ve updated the implementation based on your feedback.

[sjohnr]

Thanks @yhao3! I'll take another look at this hopefully early next week.

[yhao3]

Hi @sjohnr,

Thanks for your response! I’ve made some additional adjustments to RefreshOidcIdTokenHandler and added tests. Looking forward to your feedback when you have a chance to review.

[sjohnr]

Hi @yhao3, thanks for your updates. Sorry for the delay, it took longer than I expected to work through the updates I felt were needed to get closer to merging this. I will post an update on the original issue for folks to give feedback.

[yhao3]

Hi @sjohnr,

Thanks for the update! No worries at all, I really appreciate the time and effort you’re putting into this. I’ll keep an eye on the original issue for further feedback.

[filiphr]

This looks like a good solution to solve #15509. I've only added one comment, not sure if it is relevant or not in this scenario

[ch4mpy]

As it listens for OAuth2AuthorizedClientRefreshedEvent shouldn't this listener be an OAuth2AuthorizedClientRefreshedEventListener?

[ch4mpy]

Shouldn't the listener publish OAuth2UserRefreshedEvent if the principal is an OAuth2User but not an OidcUser?

[ch4mpy]

Testing for OAuth2User would allow to process OAuth2 refresh token flows without OIDC

[ch4mpy]

Typing with OidcUserRequest and OidcUser might be too narrow: the OAuth2User should be refreshed even if the provider is not configured with OIDC (calling the userinfo endpoint instead of parsing the ID token again)

[toob2]

@jgrandja was this fixed in 6.5.0? I'm still having this same issue after upgrading to 6.5.0

[jgrandja]

@toob2 Yes, this is in 6.5.0

[toob2]

@toob2 Yes, this is in 6.5.0

@jgrandja this is however still broken, can this ticket be re-opened?

[VithouDjuna]

Does this work with RefreshTokenReactiveOAuth2AuthorizedClientProvider? I only see a published event in the RefreshTokenOAuth2AuthorizedClientProvider class.

[jgrandja]

@toob2

this is however still broken, can this ticket be re-opened?

I've confirmed that this fix in 6.5.0 does work.

In order for this solution to work, the RefreshTokenOAuth2AuthorizedClientProvider requires a setApplicationEventPublisher(ApplicationEventPublisher). Can you double check to ensure an ApplicationEventPublisher is set?

If you are using the default OAuth2AuthorizedClientManager @Bean then the ApplicationEventPublisher will automatically be set. However, if you are supplying your own OAuth2AuthorizedClientManager @Bean, then this might be the issue because you need to explicitly configure RefreshTokenOAuth2AuthorizedClientProvider.setApplicationEventPublisher(ApplicationEventPublisher).

[jgrandja]

@VithouJavaMaestro

Does this work with RefreshTokenReactiveOAuth2AuthorizedClientProvider?

No, it hasn't been implemented yet. I've added gh-17188 to track it.

[toob2]

@toob2

this is however still broken, can this ticket be re-opened?

I've confirmed that this fix in 6.5.0 does work.

In order for this solution to work, the RefreshTokenOAuth2AuthorizedClientProvider requires a setApplicationEventPublisher(ApplicationEventPublisher). Can you double check to ensure an ApplicationEventPublisher is set?

If you are using the default OAuth2AuthorizedClientManager @Bean then the ApplicationEventPublisher will automatically be set. However, if you are supplying your own OAuth2AuthorizedClientManager @Bean, then this might be the issue because you need to explicitly configure RefreshTokenOAuth2AuthorizedClientProvider.setApplicationEventPublisher(ApplicationEventPublisher).

@jgrandja sorry I didnt mention I'm using reactive SCG, will wait for the fix, thanks

[zeapo]

@jgrandja thanks for the great work.
There is however a side case where this does not work:
in the RefreshTokenOAuth2AUthorizedClientProvider, we check "hasExpired" on the access token only, however it happens (in our case with azure) that the id token expires before:

should I open an issue regarding that?

[jgrandja]

@zeapo

in the RefreshTokenOAuth2AUthorizedClientProvider, we check "hasExpired" on the access token only

This is correct. It only needs to check the access token and if it's expired then it renews it via the refresh_token grant. The RefreshTokenOAuth2AuthorizedClientProvider is not responsible for checking the ID Token.