I have a reactive app secured with OAuth2, authorization_code grant, for which I use ServerHttpSecurity - http.oauth2Login()
My app is fully functional because resources are correctly secured and users can access the resources after logging in. However, when the access token expires, it is not renewed using the refresh token, but instead requests end up getting 401 from internal microservices. I was expecting that Spring Security will renew the expired access token out of the box, since I have confirmed that we are getting a refresh token along with the access_token.
After doing a considerable amount or research, I have not found a straight answer whether that's possible or how can I get http.oauth2Login() to refresh tokens. Is there particular configuration that I need for it to be possible?
I tried the following things, none of which worked in my case:
I added refresh_token as a second grant type for my app: authorization-grant-type: authorization_code, refresh_token , but caused an issue while starting the Authorization_flow. I read about using oauth2Login().authorizationCodeGrant/refreshCodeGrant(), but that method is not available in my Spring version.
Versions:
Spring Boot: 2.3.4.RELEASE Spring Security: 5.3.10.RELEASE Spring-security-config: 5.3.10.RELEASE
Comment From: sjohnr
Greetings @mikelemikelo, thanks for your interest in the project.
Please note: Version 5.3.x is no longer available for OSS support under our support policy. See spring-security#support.
Is this something you can reproduce using version 5.5 or later? If so, can you provide a minimal sample? I am currently not sure I understand how you are reproducing this issue, as I'm not seeing any specific details around how you're using the access/refresh tokens. It seems possible you are using the .oauth2Login() instead of .oauth2Client(), but I can't confirm that with the current level of detail provided.
Comment From: mikelemikelo
Hi @sjohnr !! Thanks in advance for your quick reply.
I'm going to give it a try later today with 5.5 libraries to see if issue persist.
I'm using a spring cloud gateway that is implementing .oauth2Login() performing the authorization_flow , so when a user through the browser hits the Gateway endpoint , its gets redirected to the AS for authentication, and if everything goes well, user is logged in and is able to use the internal microservices ( OAuth2 resource-servers ) using the token that the oauth2Login() got.
We have validated that the Gateway is receiving the access_token + refresh_token, during the authorization_flow , BUT, when the token expires, Gateway and the oauth2Login() are not using the refresh_token they got, to get a new token.... and instead , 401 issues happen...
Hope my previous explanation helps clarify my usecase.
Will set aside sometime today to test with 5.5 and if issue persist I can provide a minimal sample as requested.. but wondering against which AS should I point that test?
Comment From: sjohnr
@mikelemikelo ok, thanks for the clarification. Yes, please give it a try in 5.5. But I do believe you are missing configuration. You need to enable .oauth2Client() and ensure you are setting up your WebClient correctly. I can't confirm unless you provide a minimal sample.
Edit:
but wondering against which AS should I point that test?
In this case, I don't think it matters as I mostly want to verify your configuration. But if you want, you can use Spring Authorization Server. Not required though.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.