From 5eff09070048b97315eef76fc90ed0bc587f5c24 Mon Sep 17 00:00:00 2001 From: Joe Grandja <10884212+jgrandja@users.noreply.github.com> Date: Wed, 13 Aug 2025 10:15:07 -0400 Subject: [PATCH] Polish gh-2131 --- ...th2RefreshTokenAuthenticationProvider.java | 8 +++++--- ...freshTokenAuthenticationProviderTests.java | 19 +++++++++++-------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java index ec8c617f..9d20316d 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java @@ -215,10 +215,12 @@ public final class OAuth2RefreshTokenAuthenticationProvider implements Authentic // ----- Refresh token ----- OAuth2RefreshToken currentRefreshToken = refreshToken.getToken(); if (!registeredClient.getTokenSettings().isReuseRefreshTokens()) { + // @formatter:off tokenContext = tokenContextBuilder .tokenType(OAuth2TokenType.REFRESH_TOKEN) - .authorization(authorizationBuilder.build()) // allows refresh token to retrieve access token + .authorization(authorizationBuilder.build()) // Refresh token generator/customizer may need access to the access token .build(); + // @formatter:on OAuth2Token generatedRefreshToken = this.tokenGenerator.generate(tokenContext); if (!(generatedRefreshToken instanceof OAuth2RefreshToken)) { OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.SERVER_ERROR, @@ -256,8 +258,8 @@ public final class OAuth2RefreshTokenAuthenticationProvider implements Authentic idToken = new OidcIdToken(generatedIdToken.getTokenValue(), generatedIdToken.getIssuedAt(), generatedIdToken.getExpiresAt(), ((Jwt) generatedIdToken).getClaims()); - authorizationBuilder.token(idToken, metadata -> - metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, idToken.getClaims())); + authorizationBuilder.token(idToken, + (metadata) -> metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, idToken.getClaims())); } else { idToken = null; diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java index e3d1d062..795328c3 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java @@ -329,14 +329,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests { OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = (OAuth2AccessTokenAuthenticationToken) this.authenticationProvider .authenticate(authentication); - ArgumentCaptor oAuth2TokenContextCaptor = ArgumentCaptor.forClass(OAuth2TokenContext.class); - verify(this.tokenGenerator, times(2)).generate(oAuth2TokenContextCaptor.capture()); - // tokenGenerator is first invoked for generating a new access token and then for generating the refresh token for this access token - List tokenContexts = oAuth2TokenContextCaptor.getAllValues(); - assertThat(tokenContexts).hasSize(2); - assertThat(tokenContexts.get(0).getAuthorization().getAccessToken().getToken().getTokenValue()).isEqualTo("access-token"); - assertThat(tokenContexts.get(1).getAuthorization().getAccessToken().getToken().getTokenValue()).isEqualTo("refreshed-access-token"); - ArgumentCaptor authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class); verify(this.authorizationService).save(authorizationCaptor.capture()); OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue(); @@ -344,6 +336,17 @@ public class OAuth2RefreshTokenAuthenticationProviderTests { assertThat(accessTokenAuthentication.getRefreshToken()) .isEqualTo(updatedAuthorization.getRefreshToken().getToken()); assertThat(updatedAuthorization.getRefreshToken()).isNotEqualTo(authorization.getRefreshToken()); + + ArgumentCaptor tokenContextCaptor = ArgumentCaptor.forClass(OAuth2TokenContext.class); + verify(this.tokenGenerator, times(2)).generate(tokenContextCaptor.capture()); + // tokenGenerator is first invoked for generating a new access token and then for + // generating the refresh token + List tokenContexts = tokenContextCaptor.getAllValues(); + assertThat(tokenContexts).hasSize(2); + assertThat(tokenContexts.get(0).getAuthorization().getAccessToken().getToken().getTokenValue()) + .isEqualTo("access-token"); + assertThat(tokenContexts.get(1).getAuthorization().getAccessToken().getToken().getTokenValue()) + .isEqualTo("refreshed-access-token"); } @Test