Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes to refresh tokens. #15508

Merged
merged 4 commits into from
Jun 30, 2021
Merged

Fixes to refresh tokens. #15508

merged 4 commits into from
Jun 30, 2021

Conversation

mshima
Copy link
Member

@mshima mshima commented Jun 30, 2021

Please make sure the below checklist is followed for Pull Requests.

When you are still working on the PR, consider converting it to Draft (bellow reviewers) and adding skip-ci label, you can still see CI build result at your branch.

@mshima
Copy link
Member Author

mshima commented Jun 30, 2021
edited
Loading

@mraible I couldn't get to work reactive to redirect to oauth2 login url.

mraible
mraible reviewed Jun 30, 2021
View reviewed changes
generators/server/templates/src/main/java/package/config/OAuth2Configuration.java.ejs
.authorizationCode()
.refreshToken(builder -> builder.clockSkew(Duration.ofMinutes(1)))
.clientCredentials()
.password()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks strange. Why do we need a password here and where does it come from?

@bdemers Can you have a look at this? We're trying to get refresh tokens working in JHipster.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the default for the DefaultOAuth2AuthorizedClientManager
https://github.com/spring-projects/spring-security/blob/006b9b960797d279b31cf8c8d16f1549c5632b2c/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizedClientManager.java#L91-L96

I've added to let the user easily change clockSkew, but can be removed.

mshima
mshima commented Jun 30, 2021
View reviewed changes
...ver/templates/src/main/java/package/web/filter/OAuth2ReactiveRefreshTokensWebFilter.java.ejs
@@ -46,6 +46,7 @@ public class OAuth2ReactiveRefreshTokensWebFilter implements WebFilter {
.filter(principal -> principal instanceof OAuth2AuthenticationToken)
.cast(OAuth2AuthenticationToken.class)
.flatMap(authentication -> authorizedClient(exchange, authentication))
.onErrorResume(e -> Mono.empty())
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should redirect to the oauth2 login here.
If the token is expired, an error is returned.

@mshima
Copy link
Member Author

mshima commented Jun 30, 2021

Merging.
It fixes a problem with expired tokens, where the session get stuck in a broken state.
The refresh token still works correctly.

Reverts the old behavior of expired tokens for reactive and redirect to oauth2 login for non-reactive.

discussion can continue.

@mshima mshima merged commit 9d12776 into jhipster:main Jun 30, 2021
@mshima mshima deleted the skip_ci-oauth2_refresh branch June 30, 2021 12:28
Tcharl
Tcharl reviewed Jun 30, 2021
View reviewed changes
...tors/server/templates/src/main/java/package/web/filter/OAuth2RefreshTokensWebFilter.java.ejs
}

@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if ((authentication instanceof OAuth2AuthenticationToken)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can remove the doubled parenthesis

@pascalgrimaud pascalgrimaud added this to the 7.2.0 milestone Jul 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mraible mraible mraible left review comments

@Tcharl Tcharl Tcharl left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
7.2.0
Development

Successfully merging this pull request may close these issues.
4 participants
@mshima @mraible @Tcharl @pascalgrimaud