Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support refreshing OIDC ID Token #16253

Open
filiphr opened this issue Dec 10, 2024 · 1 comment
Open

Support refreshing OIDC ID Token #16253

filiphr opened this issue Dec 10, 2024 · 1 comment
Assignees
Labels
status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement

Comments

@filiphr
Copy link
Contributor

filiphr commented Dec 10, 2024

Expected Behavior

When using the @RegisteredOAuth2AuthorizedClient or OAuth2AuthorizedClient I would like to use the OIDC ID Token instead of the Access Token.

I would like to use the existing functionality around OAuth2AuthorizedClient and OAuth2AuthorizedClientRepository to leverage the persistence of the refresh token and the RefreshTokenOAuth2AuthorizedClientProvider which offers the functionality for refreshing a token.

Current Behavior

Currently, when using the @RegisteredOAuth2AuthorizedClient and OAuth2AuthorizedClient, we only have access to the Access Token and we can only refresh that one.

Context

How has this issue affected you?
What are you trying to accomplish?

We have our own applications, for which we support different OIDC providers thanks to Spring Security. There are some use cases for us where one of the applications is proxying requests to some of the other applications, and in this case the ID Token should be used when communicating over REST.

Additional examples

There are certain APIs that required the usage of the ID Token when communicating over REST instead of the Access Token.

E.g. According to the Google Get an ID token a Google-signed ID token is needed for the following use cases:

  • Accessing a Cloud Run service
  • Invoking a Cloud Run function
  • Authenticated a user to an application secured by Identity-Aware Proxy (IAP)
  • Making a request to an API deployed with API Gateway or Cloud Endpoints

What other alternatives have you considered?

Currently, we implemented a really ugly solution fully inspired by the OAuth2AuthorizedClientRepository, DefaultOAuth2AuthorizedClientManager and RefreshTokenOAuth2AuthorizedClientProvider.

We first get the OIDC ID Token from the current OidcUser and / or from a repository like the OAuth2AuthorizedClientRepository.
If the token is expired, we then use OAuth2AuthorizedClientRepository to get the OAuth2AuthorizedClient, then we get the refresh token and we do exactly what is being done in RefreshTokenOAuth2AuthorizedClientProvider, the refreshed ID Token is in id_token in the additional parameters in OAuth2AccessTokenResponse.
Once we get the refreshed ID Token, we store it in something similar like the OAuth2AuthorizedClientRepository

I think that it would be good if this was coming natively from Spring Security. If you are open to something like this I would be open in working on a contribution for this.
My current idea is to add an OidcIdToken in the OAuth2AuthorizedClient, expand RefreshTokenOAuth2AuthorizedClientProvider to allow to use a custom attribute in the OAuth2AuthorizationContext to determine which token we want to use (in order to check for the validity and do the refresh). This class will be responsible for parsing the id_token from the additional parameters from the OAuth2AuthorizationContext.

Of course, we need to review the other OAuth2AuthorizedClientProvider(s) to see which places might return an ID Token in addition to an access token.

@filiphr filiphr added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Dec 10, 2024
@sjohnr
Copy link
Member

sjohnr commented Dec 17, 2024

Related gh-15509

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement
Projects
None yet
Development

No branches or pull requests

2 participants