You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the @RegisteredOAuth2AuthorizedClient or OAuth2AuthorizedClient I would like to use the OIDC ID Token instead of the Access Token.
I would like to use the existing functionality around OAuth2AuthorizedClient and OAuth2AuthorizedClientRepository to leverage the persistence of the refresh token and the RefreshTokenOAuth2AuthorizedClientProvider which offers the functionality for refreshing a token.
Current Behavior
Currently, when using the @RegisteredOAuth2AuthorizedClient and OAuth2AuthorizedClient, we only have access to the Access Token and we can only refresh that one.
Context
How has this issue affected you?
What are you trying to accomplish?
We have our own applications, for which we support different OIDC providers thanks to Spring Security. There are some use cases for us where one of the applications is proxying requests to some of the other applications, and in this case the ID Token should be used when communicating over REST.
Additional examples
There are certain APIs that required the usage of the ID Token when communicating over REST instead of the Access Token.
E.g. According to the Google Get an ID token a Google-signed ID token is needed for the following use cases:
Accessing a Cloud Run service
Invoking a Cloud Run function
Authenticated a user to an application secured by Identity-Aware Proxy (IAP)
Making a request to an API deployed with API Gateway or Cloud Endpoints
What other alternatives have you considered?
Currently, we implemented a really ugly solution fully inspired by the OAuth2AuthorizedClientRepository, DefaultOAuth2AuthorizedClientManager and RefreshTokenOAuth2AuthorizedClientProvider.
We first get the OIDC ID Token from the current OidcUser and / or from a repository like the OAuth2AuthorizedClientRepository.
If the token is expired, we then use OAuth2AuthorizedClientRepository to get the OAuth2AuthorizedClient, then we get the refresh token and we do exactly what is being done in RefreshTokenOAuth2AuthorizedClientProvider, the refreshed ID Token is in id_token in the additional parameters in OAuth2AccessTokenResponse.
Once we get the refreshed ID Token, we store it in something similar like the OAuth2AuthorizedClientRepository
I think that it would be good if this was coming natively from Spring Security. If you are open to something like this I would be open in working on a contribution for this.
My current idea is to add an OidcIdToken in the OAuth2AuthorizedClient, expand RefreshTokenOAuth2AuthorizedClientProvider to allow to use a custom attribute in the OAuth2AuthorizationContext to determine which token we want to use (in order to check for the validity and do the refresh). This class will be responsible for parsing the id_token from the additional parameters from the OAuth2AuthorizationContext.
Of course, we need to review the other OAuth2AuthorizedClientProvider(s) to see which places might return an ID Token in addition to an access token.
The text was updated successfully, but these errors were encountered:
Expected Behavior
When using the
@RegisteredOAuth2AuthorizedClient
orOAuth2AuthorizedClient
I would like to use the OIDC ID Token instead of the Access Token.I would like to use the existing functionality around
OAuth2AuthorizedClient
andOAuth2AuthorizedClientRepository
to leverage the persistence of the refresh token and theRefreshTokenOAuth2AuthorizedClientProvider
which offers the functionality for refreshing a token.Current Behavior
Currently, when using the
@RegisteredOAuth2AuthorizedClient
andOAuth2AuthorizedClient
, we only have access to the Access Token and we can only refresh that one.Context
We have our own applications, for which we support different OIDC providers thanks to Spring Security. There are some use cases for us where one of the applications is proxying requests to some of the other applications, and in this case the ID Token should be used when communicating over REST.
There are certain APIs that required the usage of the ID Token when communicating over REST instead of the Access Token.
E.g. According to the Google Get an ID token a Google-signed ID token is needed for the following use cases:
Currently, we implemented a really ugly solution fully inspired by the
OAuth2AuthorizedClientRepository
,DefaultOAuth2AuthorizedClientManager
andRefreshTokenOAuth2AuthorizedClientProvider
.We first get the OIDC ID Token from the current
OidcUser
and / or from a repository like theOAuth2AuthorizedClientRepository
.If the token is expired, we then use
OAuth2AuthorizedClientRepository
to get theOAuth2AuthorizedClient
, then we get the refresh token and we do exactly what is being done inRefreshTokenOAuth2AuthorizedClientProvider
, the refreshed ID Token is inid_token
in the additional parameters inOAuth2AccessTokenResponse
.Once we get the refreshed ID Token, we store it in something similar like the
OAuth2AuthorizedClientRepository
I think that it would be good if this was coming natively from Spring Security. If you are open to something like this I would be open in working on a contribution for this.
My current idea is to add an
OidcIdToken
in theOAuth2AuthorizedClient
, expandRefreshTokenOAuth2AuthorizedClientProvider
to allow to use a custom attribute in theOAuth2AuthorizationContext
to determine which token we want to use (in order to check for the validity and do the refresh). This class will be responsible for parsing theid_token
from the additional parameters from theOAuth2AuthorizationContext
.Of course, we need to review the other
OAuth2AuthorizedClientProvider
(s) to see which places might return an ID Token in addition to an access token.The text was updated successfully, but these errors were encountered: