Describe the bug OAuth2RefreshToken always sets expiresAt to null https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2RefreshToken.java
To Reproduce Have refresh token with "exp" field set.
Expected behavior org.springframework.security.oauth2.core.OAuth2RefreshToken should have expiresAt set from JWT.
Sample eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJtYXRjdWsiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYXRpIjoiZDcyMzgxNDUtMDIzZS00ZWMzLTk0MDItMzAyMDVjM2JlNGJjIiwiZXhwIjoxNTkyMzU2OTAzLCJqdGkiOiI1OTcxZWI3ZS1kOTYyLTRiZmMtODJmYS1kZDYyZTc2NjQ3ZGEifQ.QgQYBkOdkxzuulo9Ka0k9GlRRCXxY1WCTY52zF9Geg0
{
"user_name": "matcuk",
"scope": [
"read",
"write"
],
"ati": "d7238145-023e-4ec3-9402-30205c3be4bc",
"exp": 1592356903,
"jti": "5971eb7e-d962-4bfc-82fa-dd62e76647da"
}
So to me it looks like exp field is ignored in case of refresh token.
Note that access token would have different expiresAt (5 minutes vs 12 hours).
Comment From: jgrandja
@MatCuk
As per spec, in Section 5.1. Successful Response, the expires_in parameter is the lifetime in seconds for the access token. There is no equivalent for expires_in for refresh_token.
I'm going to close this as "implemented per spec".
Comment From: MatCuk
Hi, ok thanks for reply. Then it seems the app is setting expires at to refresh token and rejecting it after that even it should not. Is there any simple way to handle this on client side? Like to evict refresh token. Implement custom ReactiveClientRegistrationRepository ?
Comment From: jgrandja
@MatCuk I don't fully understand...
it seems the app is setting expires at to refresh token and rejecting it after that even it should not
Can you put together a minimal sample that reproduces the issue so I can better understand the issue you are facing?
Comment From: windmueller
@jgrandja I am a bit confused here. Expiration support for refresh tokens has been added with #9146. However, OAuth2AccessTokenResponse still sets the expiration date to null.