Spring Security Authorized client details is not getting deleted by RemoveAuthorizedClientOAuth2AuthorizationFailureHandler

Describe the bug

When the authorization server returns 401 for invalid refresh token, authorized client detail is not getting deleted. Same refresh token is getting used for next auth call as well.

We are using DefaultRefreshTokenTokenResponseClient to obtain the access token and the default implementation of RemoveAuthorizedClientOAuth2AuthorizationFailureHandler for handling authorization server error. We were expecting that when authroization server throws 401. The error handler would delete authroizied client detail but it is not happening. When we debug the code we have found below findings.

DefaultRefreshTokenTokenResponseClient throws OAuth2AuthorizationException having OAuth2Error with error code "invalid_token_response" for RestClientException.

Spring Security Authorized client details is not getting deleted by RemoveAuthorizedClientOAuth2AuthorizationFailureHandler

But RemoveAuthorizedClientOAuth2AuthorizationFailureHandler handles the errors only for OAuth2Error with error codes "invalid_token" and "invalid_grant".

Spring Security Authorized client details is not getting deleted by RemoveAuthorizedClientOAuth2AuthorizationFailureHandler

To Reproduce Authroization server returns 401.

Expected behavior Authroized client details should be delated when authorization server return 401.

If DefaultRefreshTokenTokenResponseClient is going to throw error code "invalid_token_response" for RestClientException then why this error code is not included in RemoveAuthorizedClientOAuth2AuthorizationFailureHandler.DEFAULT_REMOVE_AUTHORIZED_CLIENT_ERROR_CODES ?

Comment From: Kehrlann

Hey @armanaaquib - as per RFC 6749 > 5.2 Error Response (emphasis mine):

The authorization server responds with an HTTP 400 (Bad Request) status code (unless specified otherwise) and includes the following parameters with the response: [...]

So, when the refresh token is revoked / expired / etc, the Authorization Server is expected to throw a HTTP 400. This is caught by the OAuth2ErrorResponseErrorHandler defined in the the DefaultRefreshTokenTokenResponseClient , and transformed into an OAuth2AuthorizationException, not a RestClientException. The Authorized Client is correctly deleted.

If you want to have the same behavior in case your Auth Server responds with HTTP 401, you will have to implement a custom DefaultRefreshTokenTokenResponseClient that handles those errors.

Edit: Tagging @sjohnr for visibility.

Comment From: jgrandja

Thanks for the explanation @Kehrlann.

@armanaaquib I'm going to close this as the explanation provided by @Kehrlann is correct and the current behaviour is working as expected.