Skip to content

Ensure ID Token is updated after refresh token #16589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 18, 2025
Merged

Ensure ID Token is updated after refresh token #16589

merged 2 commits into from
Mar 18, 2025

Conversation

yhao3
Copy link
Contributor

@yhao3 yhao3 commented Feb 13, 2025

Related issue: gh-15509

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 13, 2025
@yhao3
Copy link
Contributor Author

yhao3 commented Feb 13, 2025

Hi @sjohnr,

Could you please review this PR? I encountered this issue during development and took the opportunity to resolve it.

Thanks in advance for your time and feedback!

@sjohnr sjohnr self-assigned this Feb 14, 2025
@sjohnr sjohnr added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Feb 14, 2025
sjohnr
sjohnr requested changes Feb 14, 2025
View reviewed changes
Copy link
Member

@sjohnr sjohnr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @yhao3. I have performed an initial review and noted a few issues below for you to consider.

@yhao3
Copy link
Contributor Author

yhao3 commented Feb 14, 2025

Hi @sjohnr,

Thanks for your review and suggestions! I’ve updated the implementation based on your feedback.

@sjohnr
Copy link
Member

sjohnr commented Feb 14, 2025

Thanks @yhao3! I'll take another look at this hopefully early next week.

@yhao3
Copy link
Contributor Author

yhao3 commented Feb 15, 2025

Hi @sjohnr,

Thanks for your response! I’ve made some additional adjustments to RefreshOidcIdTokenHandler and added tests. Looking forward to your feedback when you have a chance to review.

sjohnr added a commit to yhao3/spring-security that referenced this pull request Mar 4, 2025
@sjohnr
Polish spring-projectsgh-16589
06a4338
@sjohnr
Copy link
Member

sjohnr commented Mar 5, 2025

Hi @yhao3, thanks for your updates. Sorry for the delay, it took longer than I expected to work through the updates I felt were needed to get closer to merging this. I will post an update on the original issue for folks to give feedback.

@sjohnr sjohnr mentioned this pull request Mar 5, 2025
Open
@yhao3
Copy link
Contributor Author

yhao3 commented Mar 5, 2025

Hi @sjohnr,

Thanks for the update! No worries at all, I really appreciate the time and effort you’re putting into this. I’ll keep an eye on the original issue for further feedback.

filiphr
filiphr reviewed Mar 5, 2025
View reviewed changes
Copy link
Contributor

@filiphr filiphr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a good solution to solve #15509. I've only added one comment, not sure if it is relevant or not in this scenario

ch4mpy
ch4mpy reviewed Mar 10, 2025
View reviewed changes
...k/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java
* @see OAuth2AuthorizedClientRefreshedEvent
* @see OidcUserRefreshedEvent
*/
public final class OidcAuthorizedClientRefreshedEventListener
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As it listens for OAuth2AuthorizedClientRefreshedEvent shouldn't this listener be an OAuth2AuthorizedClientRefreshedEventListener?

ch4mpy
ch4mpy reviewed Mar 10, 2025
View reviewed changes
...k/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java
/**
* An {@link ApplicationListener} that listens for events of type
* {@link OAuth2AuthorizedClientRefreshedEvent} and publishes an event of type
* {@link OidcUserRefreshedEvent} in order to refresh an {@link OidcUser}.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't the listener publish OAuth2UserRefreshedEvent if the principal is an OAuth2User but not an OidcUser?

ch4mpy
ch4mpy reviewed Mar 10, 2025
View reviewed changes
...k/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java
}

// The current principal must be an OidcUser
if (!(authenticationToken.getPrincipal() instanceof OidcUser existingOidcUser)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing for OAuth2User would allow to process OAuth2 refresh token flows without OIDC

ch4mpy
ch4mpy reviewed Mar 10, 2025
View reviewed changes
...k/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java

private static final String INVALID_NONCE_ERROR_CODE = "invalid_nonce";

private OAuth2UserService<OidcUserRequest, OidcUser> userService = new OidcUserService();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typing with OidcUserRequest and OidcUser might be too narrow: the OAuth2User should be refreshed even if the provider is not configured with OIDC (calling the userinfo endpoint instead of parsing the ID token again)

@sjohnr sjohnr mentioned this pull request Mar 18, 2025
Open
@sjohnr sjohnr enabled auto-merge (rebase) March 18, 2025 22:54
@sjohnr sjohnr moved this from In Progress to Done in Spring Security Team Mar 18, 2025
@sjohnr sjohnr added this to the 6.5.0-RC1 milestone Mar 18, 2025
@sjohnr sjohnr merged commit 5bb5d0f into spring-projects:main Mar 18, 2025
6 checks passed
@jgrandja jgrandja removed the status: waiting-for-triage An issue we've not yet triaged label Mar 24, 2025
sjohnr added a commit that referenced this pull request Mar 26, 2025
@sjohnr
Polish gh-16589
5f98ce5
sjohnr added a commit that referenced this pull request Mar 26, 2025
@sjohnr
Add additional validation when refreshing ID tokens
860f130 
Issue gh-16589
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ch4mpy ch4mpy ch4mpy left review comments

@filiphr filiphr filiphr left review comments

@sjohnr sjohnr sjohnr approved these changes

Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.5.0-RC1
Development

Successfully merging this pull request may close these issues.
6 participants
@yhao3 @sjohnr @ch4mpy @filiphr @jgrandja @spring-projects-issues