Repeat the grant request if OidcClient refresh token has expired #21924
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #21873
When
OidcClient
acquires the tokens it gets an access token, and possibly a refresh token. If the access token has expired then, if the refresh token is available - it will use a refresh token grant to get a new access token / refresh token pair - and if no refresh token is available then it will try to get this new pair by repeating the same grant request which was used to acquire the original pair, etc.What has been reported in #21873 is that when the access token has expired and
OidcClient
uses an available refresh token, it can fail if this refresh token has also expired.So, when the access token has expired, the same grant request (for ex
password
) has to be used to acquire a new pair of tokens not only when the refresh token is not available but also when it is available but has expired too. It is really the only way to address it.So this PR applies a small update to
TokensHelper
accordingly. Additionally it introduces arefreshExpiresInProperty
, similarly to how it is done for the standardexpires_in
property - but whileexpires_in
is a standard property, no standard property for conveying the refresh token expiry time exists - so it is really needed for the refresh token case. By default it is set torefresh_expires_in
which is what Keycloak returns.OidcClientImpl
calculates the time the refresh token will expire the same way it does for the access token - first this property is checked - and if it is not available, then, if RT is JWT (Json) then it tries to get the expiry claim.OidcClientWiremock
test which refreshes the token has been updated to check a grant request is repeated when the refresh token has also expired - comments have been added to clarify how the test works.