refresh access token spring webflux

[germanicus9]

Hello,

I have a jHipster Spring Boot Webflux app. and the next filter:

public class OAuth2ReactiveRefreshTokensWebFilter implements WebFilter {

    private final ReactiveOAuth2AuthorizedClientManager clientManager;

    public OAuth2ReactiveRefreshTokensWebFilter(ReactiveOAuth2AuthorizedClientManager clientManager) {
        this.clientManager = clientManager;
    }

    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
       return ReactiveSecurityContextHolder.getContext()
           .map(SecurityContext::getAuthentication)
           .filter(authentication -> authentication instanceof OAuth2AuthenticationToken)
           .cast(OAuth2AuthenticationToken.class)
           .flatMap(authentication -> {
               String clientRegistrationId = authentication.getAuthorizedClientRegistrationId();
               return clientManager.authorize(OAuth2AuthorizeRequest.withClientRegistrationId(clientRegistrationId)
                   .principal(authentication)
                   .attributes(attrs -> attrs.put(ServerWebExchange.class.getName(), exchange)).build())
                   .flatMap(authorizedClient -> {
                       OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
                       if (isTokenExpired(accessToken)) {
                           return refreshAccessToken(authorizedClient, authentication, exchange, chain);
                       } else {
                           return chain.filter(exchange);
                       }
                   });
           }).switchIfEmpty(chain.filter(exchange));
    }

The behaviour is the following:
this branch else {return chain.filter(exchange);} is called every time when I access the app and the access token is renewed automatically when the accessToken is expired. How is this done, by whom?
this branch return refreshAccessToken(authorizedClient, authentication, exchange, chain); is never called. Why?
In concluzion apparently OAuth2ReactiveRefreshTokensWebFilter do nothing!?? What is the goal of this filter?

On the other hand if I stay 10 min in idle mode (no click) I receive
org.springframework.security.oauth2.client.ClientAuthorizationRequiredException: [client_authorization_required] Authorization required for Client Registration Id: oidc (probably for /api/account). Who throws this error and how should be controlled?
Is there any example?

Waiting for your comments. Thank you!!

[germanicus9]

According to https://www.baeldung.com/spring-webclient-oauth2
Spring Security 5 refresh tokens automatically

On the other hand there is an AuthorizationCodeReactiveOAuth2AuthorizedClientProvider which throws ClientAuthorizationRequiresException.
However I do not know when this AuthorizationCodeReactiveOAuth2AuthorizedClientProvider is triggered (10 min idle?!) .

[mshima]

By default token will be refreshed 1 min before expire:

generator-jhipster/generators/server/templates/src/main/java/_package_/config/OAuth2Configuration.java.ejs

Line 30 in a50c88e

.refreshToken(builder -> builder.clockSkew(Duration.ofMinutes(1)))

Once expired a new login is required.

[mraible]

If you're passing in an offline_access scope, you should get a refresh token and it should automatically renew when the access token expires. This blog post shows how I was able to make them work with just Spring Boot and Spring Cloud. https://auth0.com/blog/java-spring-boot-microservices/#Spring-Boot-Microservices-and-Refresh-Tokens

[germanicus9]

I cannot use offline_access scope because I do not use Okta. However Spring Security 5 do refresh access_token automatically.
The problem is that I don't know how to control idle period for OAuth2AuthorizationContext (throws ClientAuthorizationRequiredException after 10 min of inactivity) and also I do not understand what suppose to do with OAuth2ReactiveRefreshTokenWebFilter generated together with jhipster 8.4.9 in this project repo?

[mraible]

The offline_access scope is not specific to Okta. It should work with any OAuth 2.0 server.

[germanicus9]

Yes, but not work with my OIDC server unfortunately.
In AuthorizationCodeReactiveOAuth2AuthorizedClientProvider is stated: Throws ClientAuthorizationRequiredException - in order to trigger authorization in which the OAuth2AuthrorizationRequestRedirectWebFilter will catch and initiate the authorization.
Is there an example implementation somewhere (in this respect)?

I think is the same problem like: github.com//issues/9707
Is there any solution here? What is the conclusion? At least can I prolong/extend the idle time before authorization_token expires?

[mshima]

@germanicus9 the answer is here #26616 (comment).
Increasing clock skew will force the token to be renewed in the timeframe before expiring.

[germanicus9]

Basically I redone the OAuth2ReactiveRefreshTokensWebFilter and now if I walk through the the application, the filter is called and access_token and refresh_token are changed accordingly. I use
private boolean isTokenExpired(Oauth2AccessToken accessToken) { return accessToken.getExpired()).minus(1, ChronUnit.Minutes).isBefore(Instant.now().
My problem is that in idle mode after refresh_token expiration I get an error (which is normal).
Is not clear what this @bean does:

        authorizedClientManager.setAuthorizedClientProvider(
            OAuth2AuthorizedClientProviderBuilder
                .builder()
                .authorizationCode()
                .refreshToken(builder -> builder.clockSkew(Duration.ofMinutes(1)))
                .clientCredentials()
                .build()
        );

refreshes token automatically regardless inactivity period or what? @mshima can provide more details, pls?

[mshima]

clockSkew is used to avoid token timestamp validation and the server timestamp differences conflict.
The token timestamp will be validated according the server timestamp plus the clockSkew.
If the token is expired according to the validation it will be renewed.
The default clockSkew provided by Spring Boot is 60s like the configuration.

So if clockSkew is half of token validation, the token will be refreshed after half of its lifetime.
I don't know if there is a downside in this approach, but IFAIK it's the only way to make Spring Boot refresh it automatically.
In any case this is quite technical question so you should post in stackoverflow to get a broader Spring Boot audience.