Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it possible to specify the refresh token expiration in the OAuth2AccessTokenResponse #15851

Open
Seregy opened this issue Sep 25, 2024 · 1 comment
Open

Make it possible to specify the refresh token expiration in the OAuth2AccessTokenResponse #15851

Seregy opened this issue Sep 25, 2024 · 1 comment
Assignees
@sjohnr
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: waiting-for-feedback We need additional information before we can continue type: enhancement A general enhancement

Comments

@Seregy
Copy link

Seregy commented Sep 25, 2024

Expected Behavior

I'd like to be able to customize the refreshToken in the OAuth2AccessTokenResponse by specifying a refresh token expiration value. OAuth2AccessTokenResponse.Builder could expose a method to optionally set the expiration for a refresh token.

Current Behavior

OAuth2AccessTokenResponse.Builder always constructs an OAuth2RefreshToken instance with the null expiresAt value and doesn't allow to customize this behavior.

Context

The authorization server I'm using provides the refresh_token_expires_in parameter along with the access and refresh tokens during the authorization code grant flow. I'd like to get this value from the OAuth2RefreshToken for further processing within the application. As the refresh_token_expires_in is not a standard parameter, I was going to use a custom access token response converter instead of the DefaultMapOAuth2AccessTokenResponseConverter one to extract the refresh token expiration value from the response. Unfortunately, OAuth2AccessTokenResponse.Builder uses the OAuth2RefreshToken constructor without the expiresAt parameter and doesn't provide a way to set the refresh token expiration.
@Seregy Seregy added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Sep 25, 2024
@sjohnr sjohnr self-assigned this Sep 30, 2024
@sjohnr
Copy link
Member

sjohnr commented Sep 30, 2024

@Seregy thanks for reaching out!

In OAuth2AccessTokenResponse there is additionalParameters which is intended for custom parameters like this. This refresh token expiration is not needed by Spring Security (since it is off-spec), so it doesn't really make sense to add it to the builder. However, the DefaultMapOAuth2AccessTokenResponseConverter does populate additionalParameters, and I believe the custom refresh_token_expires_in should show up there. If not, would you mind adding a minimal, reproducible sample so I could take a look?

@sjohnr sjohnr added status: waiting-for-feedback We need additional information before we can continue in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: waiting-for-feedback We need additional information before we can continue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sjohnr @Seregy