search

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
http://github.com/spring-projects/spring-security-oauth
Apache License 2.0
4.69k stars 4.04k forks source link

should we enhance the ability of `OAuth2ClientAuthenticationProcessingFilter` ? #1925

Closed yabola closed 3 years ago

yabola commented 3 years ago

I want to store refreshToken & accessToken in cookie with my defined name( i use stateless here ), I check here OAuth2ClientAuthenticationProcessingFilter will retrieve new token/refreshToken if accessToken is invalid. I want OAuth2ClientAuthenticationProcessingFilter to have this ability to expose this function. but https://github.com/spring-projects/spring-security-oauth/blob/main/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilter.java#L116 will only get accessToken value which is not enough.

can you help me find a way to do that? or I can try to modify the existing implementation.

yabola commented 3 years ago

@jgrandja please help take a look, thanks~

yabola commented 3 years ago

like https://stackoverflow.com/questions/44923418/store-token-from-oauth2-server-in-cookie-using-spring-oauth

yabola commented 3 years ago

@jgrandja can you give me any suggestions on such problem? I think the solution in the Stackoverflow is not that good. I think we should expose such function in OAuth2ClientAuthenticationProcessingFilter. thanks~

jgrandja commented 3 years ago

@yabola

I want to store refreshToken & accessToken in cookie

This is not recommended as this exposes you to cookie tampering attacks.

I think we should expose such function in OAuth2ClientAuthenticationProcessingFilter

This project is scheduled to reach EOL. Please see the announcement for further details.