Spring Security Check is refresh token expired in PasswordOAuth2AuthorizedClientProvider

When using the following configuration:

OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder() .password() .refreshToken() .build();

in case a refresh token is expired, the call to some endpoint will result with a 401. After that the refresh grant will be removed and than on next call the password grant will be used.

If you include a validity check of the refresh token in PasswordOAuth2AuthorizedClientProvider at line 100,101, hence to check is the refresh token valid and not just ist it present, than this would automatically use the password grant and we will get new access and refresh token without a need to make a new call after 401.

Comment From: sjohnr

@adnanalicic thanks for the report. Given that the password grant type should not be used and is deprecated in the framework, I'm not sure enhancements make sense to pursue here. Also, I don't believe that the application should be able to request a new access token with the resource owner's credentials after a refresh token expires because that implies the application is hanging onto the credentials.

Given the above explanation, I'm going to close this issue.