Skip to content

Ensure ID Token is updated after refresh token (Reactive) #17188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jgrandja opened this issue May 30, 2025 · 4 comments · May be fixed by #17246
Open

Ensure ID Token is updated after refresh token (Reactive) #17188

jgrandja opened this issue May 30, 2025 · 4 comments · May be fixed by #17246
Assignees
@evgeniycheban
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@jgrandja
Copy link
Contributor

We need to implement the Reactive counterpart of gh-16589.
@jgrandja jgrandja added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 30, 2025
@jgrandja jgrandja added this to the 7.0.x milestone May 30, 2025
@jgrandja jgrandja mentioned this issue May 30, 2025
Merged
@toob2 toob2 mentioned this issue Jun 2, 2025
Open
@evgeniycheban
Copy link
Contributor

Hi @jgrandja, can you assign this one to me?

@jgrandja
Copy link
Contributor Author

jgrandja commented Jun 3, 2025

Thank you @evgeniycheban. I've assigned it to you.

@evgeniycheban evgeniycheban mentioned this issue Jun 11, 2025
Open
evgeniycheban added a commit to evgeniycheban/spring-security that referenced this issue Jun 14, 2025
@evgeniycheban
Ensure ID Token is updated after refresh token (Reactive)
caea5e4 
Closes spring-projectsgh-17188

Signed-off-by: Evgeniy Cheban <[email protected]>
@evgeniycheban evgeniycheban linked a pull request Jun 14, 2025 that will close this issue
Draft
@evgeniycheban
Copy link
Contributor

Hi @jgrandja, I have opened a PR, I have some doubts about the correct implementation of this.

I have added a RefreshTokenReactiveOAuth2AuthorizationSuccessHandler that handles a SecurityContext refresh, however it depends on a ServerSecurityContextRepository which requires a ServerWebExchange, it will work for use within the context of a ServerWebExchange, but if we want to refresh a SecurityContext for those clients that are used outside of a ServerWebExchange context, we might need to think about having a different abstraction here, one thing that comes to mind is to bind an Authentication object to ClientRequest similar how it's proposed to be done in gh-16284, what do you think?

@jgrandja
Copy link
Contributor Author

Thanks for the PR @evgeniycheban. I will do my best to review this soon. The team has a few high priority items for the upcoming major releases of Spring Security 7.0 and Spring Authorization Server 2.0 so we need to focus on those items first. Thank you for your patience.

@jgrandja jgrandja removed this from the 7.0.x milestone Jun 16, 2025
@jgrandja jgrandja added the status: duplicate A duplicate of another issue label Jun 16, 2025
evgeniycheban added a commit to evgeniycheban/spring-security that referenced this issue Jun 17, 2025
@evgeniycheban
Ensure ID Token is updated after refresh token (Reactive)
e1cb238 
Closes spring-projectsgh-17188

Signed-off-by: Evgeniy Cheban <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evgeniycheban evgeniycheban

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ensure ID Token is updated after refresh token (Reactive) evgeniycheban/spring-security
2 participants
@jgrandja @evgeniycheban