Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure ID Token is updated after refresh token #16589

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Ensure ID Token is updated after refresh token #16589

wants to merge 3 commits into from

Conversation

yhao3
Copy link

@yhao3 yhao3 commented Feb 13, 2025

Related issue: gh-15509

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 13, 2025
@yhao3
Copy link
Author

yhao3 commented Feb 13, 2025

Hi @sjohnr,

Could you please review this PR? I encountered this issue during development and took the opportunity to resolve it.

Thanks in advance for your time and feedback!

@sjohnr sjohnr self-assigned this Feb 14, 2025
@sjohnr sjohnr added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Feb 14, 2025
sjohnr
sjohnr requested changes Feb 14, 2025
View reviewed changes
Copy link
Member

@sjohnr sjohnr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @yhao3. I have performed an initial review and noted a few issues below for you to consider.

.../security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.java Outdated
@@ -232,7 +232,7 @@ public boolean supports(Class<?> authentication) {
return OAuth2LoginAuthenticationToken.class.isAssignableFrom(authentication);
}

private OidcIdToken createOidcToken(ClientRegistration clientRegistration,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will want to do something else here instead of reuse this method directly. We don't want to couple the event handler with the existing AuthenticationProvider. For now, I think it's perfectly fine to duplicate this code in the listener and see how it looks.

...rg/springframework/security/oauth2/client/oidc/authentication/RefreshOidcIdTokenHandler.java Outdated
Comment on lines 36 to 41
private final OidcAuthorizationCodeAuthenticationProvider oidcAuthorizationCodeAuthenticationProvider;

public RefreshOidcIdTokenHandler(
OidcAuthorizationCodeAuthenticationProvider oidcAuthorizationCodeAuthenticationProvider) {
this.oidcAuthorizationCodeAuthenticationProvider = oidcAuthorizationCodeAuthenticationProvider;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See above comment. We don't want to couple the listener with the AuthenticationProvider. Can you please adjust this to directly include the necessary code from the createOidcToken() method?

...rg/springframework/security/oauth2/client/oidc/authentication/RefreshOidcIdTokenHandler.java Outdated
OAuth2AccessTokenResponse accessTokenResponse = event.getAccessTokenResponse();
OidcIdToken refreshedOidcToken = this.oidcAuthorizationCodeAuthenticationProvider
.createOidcToken(authorizedClient.getClientRegistration(), accessTokenResponse);
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please adjust this to use a private SecurityContextHolderStrategy securityContextHolderStrategy field instead? It can be initialized with SecurityContextHolder.getContextHolderStrategy() and also include a setter for a custom strategy.

...rg/springframework/security/oauth2/client/oidc/authentication/RefreshOidcIdTokenHandler.java Outdated
Comment on lines 54 to 56
SecurityContextHolder.getContext()
.setAuthentication(new OAuth2AuthenticationToken(oidcUser, oidcUser.getAuthorities(),
oauth2AuthenticationToken.getAuthorizedClientRegistrationId()));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please adjust this to create a new empty SecurityContext via this.securityContextHolderStrategy.createEmptyContext() and then set the new context via this.securityContextHolderStrategy.setContext()?

@yhao3
Copy link
Author

yhao3 commented Feb 14, 2025

Hi @sjohnr,

Thanks for your review and suggestions! I’ve updated the implementation based on your feedback.

@sjohnr
Copy link
Member

sjohnr commented Feb 14, 2025

Thanks @yhao3! I'll take another look at this hopefully early next week.

@yhao3
Copy link
Author

yhao3 commented Feb 15, 2025

Hi @sjohnr,

Thanks for your response! I’ve made some additional adjustments to RefreshOidcIdTokenHandler and added tests. Looking forward to your feedback when you have a chance to review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjohnr sjohnr sjohnr requested changes

Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement
Projects
Spring Security Team
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yhao3 @sjohnr @spring-projects-issues