-
Notifications
You must be signed in to change notification settings - Fork 744
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refresh_token flow issues while using external identity providers only #7
Comments
I believe you do need to check user accounts are still valid on refresh (the app will work if you don't but it's not doing a very good job of identity mamagement, is it?). To do that actually requires a |
If I understand you correctly, it should be enough to implement a class (lets say |
Yes. That's the correct API I believe. |
Good. I'm quite new to Spring Security/Oauth, so not everything is clear to me. |
If there is only one provider (the vanilla use case in this tutorial) it's easy - you just inject an If there are multiple providers I guess we need to work a bit harder. Then, you were right the first time, we need a full |
I am not sure about this part. While refreshing token, to my custom |
The |
I have used an example of auth-server to write my own authorization server (only slight changes that should not make difference) that uses external identity providers and issues its own access tokens (JWT, but I don't think that matters in this case). When the access token expires, Spring Oauth2 client tries to refresh access token by using refresh_token flow that is enabled in authorization server. In the DefaultTokenServices class there is method refreshAccessToken which apart from refreshing token also tries to re-authenticate user using authenticationManager. And it causes a problem because as I said, my authorization server uses only external identity providers and therefore authorizationManager can't reauthenticate user. Am I missing something?
The text was updated successfully, but these errors were encountered: