search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.83k stars 5.91k forks source link

Make it possible to specify the refresh token expiration in the OAuth2AccessTokenResponse #15851

Closed Seregy closed 1 month ago

Seregy commented 1 month ago

Expected Behavior

I'd like to be able to customize the refreshToken in the OAuth2AccessTokenResponse by specifying a refresh token expiration value. OAuth2AccessTokenResponse.Builder could expose a method to optionally set the expiration for a refresh token.

Current Behavior

OAuth2AccessTokenResponse.Builder always constructs an OAuth2RefreshToken instance with the null expiresAt value and doesn't allow to customize this behavior.

Context

The authorization server I'm using provides the refresh_token_expires_in parameter along with the access and refresh tokens during the authorization code grant flow. I'd like to get this value from the OAuth2RefreshToken for further processing within the application. As the refresh_token_expires_in is not a standard parameter, I was going to use a custom access token response converter instead of the DefaultMapOAuth2AccessTokenResponseConverter one to extract the refresh token expiration value from the response. Unfortunately, OAuth2AccessTokenResponse.Builder uses the OAuth2RefreshToken constructor without the expiresAt parameter and doesn't provide a way to set the refresh token expiration.

sjohnr commented 1 month ago

@Seregy thanks for reaching out!

In OAuth2AccessTokenResponse there is additionalParameters which is intended for custom parameters like this. This refresh token expiration is not needed by Spring Security (since it is off-spec), so it doesn't really make sense to add it to the builder. However, the DefaultMapOAuth2AccessTokenResponseConverter does populate additionalParameters, and I believe the custom refresh_token_expires_in should show up there. If not, would you mind adding a minimal, reproducible sample so I could take a look?

Seregy commented 1 month ago

The refresh_token_expires_in parameter is indeed present in the OAuth2AccessTokenResponse#additionalParameters, it's just that accessing those parameters from the client components requires more changes. If you'd rather not allow extending refresh tokens like that, then it is what it is. I've found that to access the refresh token expiration value in the application code it's necessary to either customize the AuthenticationProvider(which looks a bit too intrusive) or provide a custom OidcUserService implementation along with a modified OidcUser.

sjohnr commented 1 month ago

Thanks for the reply @Seregy. This response parameter is custom and not used by the framework. Therefore, I don't see anything that we would do here since refresh token expiration already shows up in additionalParameters. I'm going to close this issue. If you have a test or minimal sample that demonstrates this and an idea of how we can improve accessing the additional parameters for your use case, please let me know and we can re-open if necessary.