Handing OAuth2 Refresh Tokens -Spring 5

[muthiyalu]

Summary

Had a query on how to handle

Actual Behavior

Am trying to ascertain how to handle refresh tokens via the Spring 5 Outh2 security framework. There seems to be no contract to handle refresh tokens directly.

As a workaround I explored the interface specification to see if this could be overridden. In that context there seems to be a possible workaround :

Specfic to Google

Step 1: Set an Additional Query Parameter of Access Type to offline(access_type=offline)

Reference : https://developers.google.com/identity/protocols/OAuth2WebServer

Step 2: Google would respond back with an Authorization code which when exhanged for a Token would send back both the Access Token and Refresh Token.

Override the OAuth2AccessTokenResponseClient behaviour to extract the Refresh Token

https://docs.spring.io/spring-security/site/docs/5.0.0.RELEASE/reference/htmlsingle/#jc-oauth2login-authorized-client

Step 3 : Store it in a custom User Model and on the session

As per the documentation(section 5.7.6 )

https://docs.spring.io/spring-security/site/docs/5.0.0.RELEASE/reference/htmlsingle/#jc-oauth2login-custom-provider-properties

Configuring Custom Provider Properties, Additional parameters like access_type can be set in the application.yml file

Expected Behavior

That the sendRedirectForAuthorization method https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java

passes these additional parameters to the URI builder

However it seems the URI Builder doesnt use the additionalParameters HashMap while constructing the URI(or am I missing something?)

---

UriComponentsBuilder uriBuilder = UriComponentsBuilder
.fromUriString(authorizationRequest.getAuthorizationUri())
.queryParam(OAuth2ParameterNames.RESPONSE_TYPE, authorizationRequest.getResponseType().getValue())
.queryParam(OAuth2ParameterNames.CLIENT_ID, authorizationRequest.getClientId())
.queryParam(OAuth2ParameterNames.SCOPE, StringUtils.collectionToDelimitedString(scopes, " "))
.queryParam(OAuth2ParameterNames.STATE, authorizationRequest.getState());
if (authorizationRequest.getRedirectUri() != null) {
uriBuilder.queryParam(OAuth2ParameterNames.REDIRECT_URI, authorizationRequest.getRedirectUri());
}

	return uriBuilder.build().encode().toUri();

---

Configuration

spring:
thymeleaf:
cache: false
security:
oauth2:
client:
registration:
google:
client-id: client_id
client-secret: client _secret
provider:
google:
access_type: offline

Version

compile 'org.springframework.security:spring-security-config:5.0.0.RC1'
compile 'org.springframework.security:spring-security-oauth2-client:5.0.0.RC1'
compile 'org.springframework.security:spring-security-oauth2-jose:5.0.0.RC1'
compile 'org.springframework:spring-webflux'
compile 'org.springframework.boot:spring-boot-starter-thymeleaf'
compile 'org.springframework.boot:spring-boot-starter-web'
compile 'org.thymeleaf.extras:thymeleaf-extras-springsecurity4'
compile 'io.projectreactor.ipc:reactor-netty'

Sample

[jgrandja]

@muthiyalu refresh_token grant support #4371 is planned for 5.1. As well, support for adding custom query parameters is planned for 5.1 #4911

[muthiyalu]

thanks Joe, could i collaborate in creating the Refresh token functionality?

[jgrandja]

@muthiyalu Thanks for the offer but I'll take this one on. It won't require much effort on my end. However, feel free to submit a PR on any other outstanding issue. Thanks.

[subbyz]

@muthiyalu Kindly provide an example for Step 2 and Step 3.