search

spring-projects / spring-authorization-server

Spring Authorization Server
https://spring.io/projects/spring-authorization-server
Apache License 2.0
4.86k stars 1.28k forks source link

Consider adding support for requesting refresh_token with offline_access scope #1422

Open nverbos-godaddy opened 1 year ago

nverbos-godaddy commented 1 year ago

Expected Behavior I want to add support for the offline_access scope as described in the openid-connect rfc. When the offline_access scope is requested, then a refresh token is issued.

Current Behavior Currently the spring-authorization-server project issues a refresh token when a RegisteredClient contains AuthorizationGrantType.REFRESH_TOKEN. I would like to change this behavior so that the the client must request the offline_access scope in order for a refresh token to be issued.

Context What is the best way to add support for this? Initially, I tried copying all of the code from OAuth2AuthorizationCodeAuthenticationProvider into my own custom implementation and edited the conditional statement that determines whether or not refresh token should be issued. However, I would like to avoid copying and overriding this for maintainability reasons. Is there a way to customize this for our implementation? Is this a feature that we could add to directly to the spring-authorization-server project?

Related gh-501 gh-1430

jgrandja commented 12 months ago

@nverbos-godaddy

I would like to change this behavior so that the the client must request the offline_access scope in order for a refresh token to be issued

Can you provide more details on your use case? Why do you need to change this behaviour?

I tried copying all of the code from OAuth2AuthorizationCodeAuthenticationProvider into my own custom implementation and edited the conditional statement that determines whether or not refresh token should be issued

In order to support the offline_access scope within the framework, there are a few other requirements that need to be considered, for example:

MUST ensure that the prompt parameter contains consent

FYI, the prompt parameter is currently not supported either gh-501

nverbos-godaddy commented 12 months ago

Can you provide more details on your use case? Why do you need to change this behaviour?

We want clients to explicitly request a refresh token, only when it is needed. We also want to display special text to users on the consent page when offline_access is requested. The special text on the consent page will let our users know that this client application will maintain access to their account, even when they are offline and not using the app. When the app does not need a refresh token, then it does not include the offline_access and we do not need to display this special text on the consent page.

jgrandja commented 12 months ago

@nverbos-godaddy Thanks for the extra details. We will consider adding this enhancement depending on demand, which we assess based on upvotes on this issue.

Is there a way to customize this for our implementation?

Please keep track of gh-1430 as it will likely provide a hook that will allow you to customize and implement offline_access in your application.

jgrandja commented 11 months ago

@nverbos-godaddy Please take a look at gh-1432, specifically this commit as it provides 2 tests that demonstrate how you can customize and implement partial support for offline_access in your application.