How to refresh OAuth2 token with Spring Security 5 OAuth2 client and RestTemplate

Question

Spring Security 5.1.0.M2 (release notes) added support for automatic refreshing of tokens when using WebClient. However, I am using RestTemplate. Is there a similar mechanism for RestTemplate or do I need to implement that behavior myself?

The OAuth2RestTemplate class looks promising but it's from the separate Spring Security OAuth module and I would like to use plain Spring Security 5.1 on the client if possible.

If it is acceptable to use [WebClient instead of RestTemplate](https://stackoverflow.com/questions/47974757/webclient-vs-resttemplate), maybe you can use the [described](https://github.com/spring-projects/spring-security/issues/4371) solution. — m4gic, Oct 01 '18 at 12:23
@m4gic, not for now because the REST client will be generated by swagger codegen. — Steffen Harbich, Oct 01 '18 at 13:40
Hm it seems it will be [not easy](https://stackoverflow.com/questions/30342833/can-swagger-code-gen-sdks-handle-oauth-token-refresh) — m4gic, Oct 01 '18 at 13:46

score 7 · Accepted Answer · answered Oct 02 '18 at 13:42

7

OAuth2RestTemplate Will refresh tokens automatically. RestTemplate will not (refresh tokens is part of the OAut2 spec, hence the OAuth2RestTemplate.

You have 2 options:

Use Spring Security OAuth2 module and everything will work pretty much out of the box (configuration properties provided by Spring)
Create your own RestTemplate based on Spring's OAut2RestTemplate

Spring's OAuth2 module will be integrated into Spring Security in the future. I would go for option 1.

answered Oct 02 '18 at 13:42

JohanB

2,068
1
15
15

4

Can you point to an official documentation that says Tokens are refreshed automatically. For my application with authorization code grant type, they are not being refreshed and things stop working after 1 hour(expiration time of access token) – Nikhil Sahu Dec 05 '18 at 07:56
@Nikhil for me the samething happening. Application stoped working after the accessToken expires. Did you manage to fix the issue? – Minisha Feb 11 '20 at 09:25
@Minisha there is a certain configuration(don't remember exactly) that needs to be changed so that control flow automatically goes into refresh token flow when auth tokens have expired. Use `OAuth2RestTemplate` and go inside the control flow to debug this. – Nikhil Sahu Apr 24 '20 at 16:50
I was able to resolve my issue with automatically refresh token using `OAuth2AuthorizedClientManager`. I'm using authorization grant. – user3396478 Jan 25 '23 at 16:05

Adomas · Answer 2 · 2019-11-28T12:32:23.317

OAuth2RestTemplate should be used instead of RestTemplate when JWT authentication is required. You can set AccessTokenProvider to it, which will tell how the JWT token will be retrieved: oAuth2RestTemplate.setAccessTokenProvider(new MyAccessTokenProvider());

In class implementing AccessTokenProvider you need to implement obtainAccessToken and refreshAccessToken methods. So in obtainAccessToken method it can be checked if token is expired, and if it is - token is retrieved through refreshAccessToken. Sample implementation (without the details of actual token retrieval and refreshing):

public class MyAccessTokenProvider implements AccessTokenProvider {

    @Override
    public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails details, AccessTokenRequest parameters)
        throws UserRedirectRequiredException, UserApprovalRequiredException, AccessDeniedException {
        if (parameters.getExistingToken() != null && parameters.getExistingToken().isExpired()) {
            return refreshAccessToken(details, parameters.getExistingToken().getRefreshToken(), parameters);
        }

        OAuth2AccessToken retrievedAccessToken = null;
        //TODO access token retrieval
        return retrievedAccessToken;
    }

    @Override
    public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
        return false;
    }

    @Override
    public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resource,
                                                OAuth2RefreshToken refreshToken, AccessTokenRequest request)
        throws UserRedirectRequiredException {

        OAuth2AccessToken refreshedAccessToken = null;
        //TODO refresh access token
        return refreshedAccessToken;
    }

    @Override
    public boolean supportsRefresh(OAuth2ProtectedResourceDetails resource) {
        return true;
    }
}

Did not find a way for Spring to call the refreshAccessToken automatically, if someone knows how to do that - please share.

@Minisha, no, stayed with the solution described in this answer. — Adomas, Feb 11 '20 at 10:30
access token retrieval in here you wrote a restTemplate call to get the token isnt? — Minisha, Feb 11 '20 at 19:11
can you share the repo? when the token expired, I am getting 401 — Minisha, Feb 11 '20 at 23:13
@Minisha, to retrieve the token you do a simple post to the authentication service — Adomas, Feb 12 '20 at 09:20
sure. for me none of the solution worked. So I gotta set the accessToken to null manually. — Minisha, Feb 12 '20 at 09:48

How to refresh OAuth2 token with Spring Security 5 OAuth2 client and RestTemplate

2 Answers2