How to force client-credentials flow in micronaut-security to request a new access token when the resource client returns a Unauthorised response

Question

I have a micro service that is using micronaut-security's oauth2 cliient-credentials flow to obtain an access token and propagate the same to a resourceClient in the header.

I want to know if there is a way to get a new access token in the client-credentials flow when the existing token is revoked for some reason and the resourceClient returns 401 Unauthorised response.

I've verified that if I call the resourceClient concurrently with multiple requests the access token remains the same and new access token is only fetched after the token expires.

Ive looked through the code in AbstractClientCredentialsClient on how it requests for a token either from the cache or from the auth server based on some criteria.

Does any one know. how I can achieve requesting new tokens on 401 responses from the resource client please, any examples would be great. micronaut version 3.9.3

Answer 1

If your micro-service is obtaining an access token, it is the Client. In OAuth2, only the Client requets an access token. It makes no sense to propagate it to a "resourceClient"(what is that?), for it is a client credentials flow which is designed for server-to-server auth.

When the token is revoked, the client got 401 from the resource server, at this point it could choose to reauthenticate itself: simply call requestToken() with "force" set to true.

How to call it? There should be a ClientCredentialsClient instance in the client JVM if configured via yaml (micronaut.security.oauth2.clients) or java, just inject it and call the method on receiving 401.