Associate Refresh Token to OAuth2AuthorizedClient

Fixes gh-5416

Author: jgrandja

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,8 +15,10 @@
  */
 package org.springframework.security.oauth2.client;
 
+import org.springframework.lang.Nullable;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.util.Assert;
 
 /**
@@ -33,11 +35,13 @@
  * @since 5.0
  * @see ClientRegistration
  * @see OAuth2AccessToken
+ * @see OAuth2RefreshToken
  */
 public class OAuth2AuthorizedClient {
 	private final ClientRegistration clientRegistration;
 	private final String principalName;
 	private final OAuth2AccessToken accessToken;
+	private final OAuth2RefreshToken refreshToken;
 
 	/**
 	 * Constructs an {@code OAuth2AuthorizedClient} using the provided parameters.
@@ -47,12 +51,26 @@ public class OAuth2AuthorizedClient {
 	 * @param accessToken the access token credential granted
 	 */
 	public OAuth2AuthorizedClient(ClientRegistration clientRegistration, String principalName, OAuth2AccessToken accessToken) {
+		this(clientRegistration, principalName, accessToken, null);
+	}
+
+	/**
+	 * Constructs an {@code OAuth2AuthorizedClient} using the provided parameters.
+	 *
+	 * @param clientRegistration the authorized client's registration
+	 * @param principalName the name of the End-User {@code Principal} (Resource Owner)
+	 * @param accessToken the access token credential granted
+	 * @param refreshToken the refresh token credential granted
+	 */
+	public OAuth2AuthorizedClient(ClientRegistration clientRegistration, String principalName,
+									OAuth2AccessToken accessToken, @Nullable OAuth2RefreshToken refreshToken) {
 		Assert.notNull(clientRegistration, "clientRegistration cannot be null");
 		Assert.hasText(principalName, "principalName cannot be empty");
 		Assert.notNull(accessToken, "accessToken cannot be null");
 		this.clientRegistration = clientRegistration;
 		this.principalName = principalName;
 		this.accessToken = accessToken;
+		this.refreshToken = refreshToken;
 	}
 
 	/**
@@ -81,4 +99,14 @@ public String getPrincipalName() {
 	public OAuth2AccessToken getAccessToken() {
 		return this.accessToken;
 	}
+
+	/**
+	 * Returns the {@link OAuth2RefreshToken refresh token} credential granted.
+	 *
+	 * @since 5.1
+	 * @return the {@link OAuth2RefreshToken}
+	 */
+	public @Nullable OAuth2RefreshToken getRefreshToken() {
+		return this.refreshToken;
+	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java

@@ -20,7 +20,6 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
-import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
 import org.springframework.util.Assert;
 
@@ -69,13 +68,12 @@ public Authentication authenticate(Authentication authentication) throws Authent
 					authorizationCodeAuthentication.getClientRegistration(),
 					authorizationCodeAuthentication.getAuthorizationExchange()));
 
-		OAuth2AccessToken accessToken = accessTokenResponse.getAccessToken();
-
 		OAuth2AuthorizationCodeAuthenticationToken authenticationResult =
 			new OAuth2AuthorizationCodeAuthenticationToken(
 				authorizationCodeAuthentication.getClientRegistration(),
 				authorizationCodeAuthentication.getAuthorizationExchange(),
-				accessToken);
+				accessTokenResponse.getAccessToken(),
+				accessTokenResponse.getRefreshToken());
 		authenticationResult.setDetails(authorizationCodeAuthentication.getDetails());
 
 		return authenticationResult;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeAuthenticationToken.java

@@ -15,10 +15,12 @@
  */
 package org.springframework.security.oauth2.client.authentication;
 
+import org.springframework.lang.Nullable;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
 import org.springframework.util.Assert;
 
@@ -40,6 +42,7 @@ public class OAuth2AuthorizationCodeAuthenticationToken extends AbstractAuthenti
 	private ClientRegistration clientRegistration;
 	private OAuth2AuthorizationExchange authorizationExchange;
 	private OAuth2AccessToken accessToken;
+	private OAuth2RefreshToken refreshToken;
 
 	/**
 	 * This constructor should be used when the Authorization Request/Response is complete.
@@ -67,9 +70,26 @@ public OAuth2AuthorizationCodeAuthenticationToken(ClientRegistration clientRegis
 	public OAuth2AuthorizationCodeAuthenticationToken(ClientRegistration clientRegistration,
 														OAuth2AuthorizationExchange authorizationExchange,
 														OAuth2AccessToken accessToken) {
+		this(clientRegistration, authorizationExchange, accessToken, null);
+	}
+
+	/**
+	 * This constructor should be used when the Access Token Request/Response is complete,
+	 * which indicates that the Authorization Code Grant flow has fully completed.
+	 *
+	 * @param clientRegistration the client registration
+	 * @param authorizationExchange the authorization exchange
+	 * @param accessToken the access token credential
+	 * @param refreshToken the refresh token credential
+	 */
+	public OAuth2AuthorizationCodeAuthenticationToken(ClientRegistration clientRegistration,
+														OAuth2AuthorizationExchange authorizationExchange,
+														OAuth2AccessToken accessToken,
+														@Nullable OAuth2RefreshToken refreshToken) {
 		this(clientRegistration, authorizationExchange);
 		Assert.notNull(accessToken, "accessToken cannot be null");
 		this.accessToken = accessToken;
+		this.refreshToken = refreshToken;
 		this.setAuthenticated(true);
 	}
 
@@ -111,4 +131,13 @@ public OAuth2AuthorizationExchange getAuthorizationExchange() {
 	public OAuth2AccessToken getAccessToken() {
 		return this.accessToken;
 	}
+
+	/**
+	 * Returns the {@link OAuth2RefreshToken refresh token}.
+	 *
+	 * @return the {@link OAuth2RefreshToken}
+	 */
+	public @Nullable OAuth2RefreshToken getRefreshToken() {
+		return this.refreshToken;
+	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -113,7 +113,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			authorizationCodeAuthentication.getAuthorizationExchange(),
 			oauth2User,
 			mappedAuthorities,
-			accessToken);
+			accessToken,
+			accessTokenResponse.getRefreshToken());
 		authenticationResult.setDetails(authorizationCodeAuthentication.getDetails());
 
 		return authenticationResult;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationToken.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,11 +15,13 @@
  */
 package org.springframework.security.oauth2.client.authentication;
 
+import org.springframework.lang.Nullable;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.util.Assert;
@@ -46,6 +48,7 @@ public class OAuth2LoginAuthenticationToken extends AbstractAuthenticationToken
 	private ClientRegistration clientRegistration;
 	private OAuth2AuthorizationExchange authorizationExchange;
 	private OAuth2AccessToken accessToken;
+	private OAuth2RefreshToken refreshToken;
 
 	/**
 	 * This constructor should be used when the Authorization Request/Response is complete.
@@ -80,6 +83,27 @@ public OAuth2LoginAuthenticationToken(ClientRegistration clientRegistration,
 											OAuth2User principal,
 											Collection<? extends GrantedAuthority> authorities,
 											OAuth2AccessToken accessToken) {
+		this(clientRegistration, authorizationExchange, principal, authorities, accessToken, null);
+	}
+
+	/**
+	 * This constructor should be used when the Access Token Request/Response is complete,
+	 * which indicates that the Authorization Code Grant flow has fully completed
+	 * and OAuth 2.0 Login has been achieved.
+	 *
+	 * @param clientRegistration the client registration
+	 * @param authorizationExchange the authorization exchange
+	 * @param principal the user {@code Principal} registered with the OAuth 2.0 Provider
+	 * @param authorities the authorities granted to the user
+	 * @param accessToken the access token credential
+	 * @param refreshToken the refresh token credential
+	 */
+	public OAuth2LoginAuthenticationToken(ClientRegistration clientRegistration,
+											OAuth2AuthorizationExchange authorizationExchange,
+											OAuth2User principal,
+											Collection<? extends GrantedAuthority> authorities,
+											OAuth2AccessToken accessToken,
+											@Nullable OAuth2RefreshToken refreshToken) {
 		super(authorities);
 		Assert.notNull(clientRegistration, "clientRegistration cannot be null");
 		Assert.notNull(authorizationExchange, "authorizationExchange cannot be null");
@@ -89,6 +113,7 @@ public OAuth2LoginAuthenticationToken(ClientRegistration clientRegistration,
 		this.authorizationExchange = authorizationExchange;
 		this.principal = principal;
 		this.accessToken = accessToken;
+		this.refreshToken = refreshToken;
 		this.setAuthenticated(true);
 	}
 
@@ -128,4 +153,14 @@ public OAuth2AuthorizationExchange getAuthorizationExchange() {
 	public OAuth2AccessToken getAccessToken() {
 		return this.accessToken;
 	}
+
+	/**
+	 * Returns the {@link OAuth2RefreshToken refresh token}.
+	 *
+	 * @since 5.1
+	 * @return the {@link OAuth2RefreshToken}
+	 */
+	public @Nullable OAuth2RefreshToken getRefreshToken() {
+		return this.refreshToken;
+	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginReactiveAuthenticationManager.java

@@ -120,11 +120,13 @@ private Mono<OAuth2AuthenticationToken> authenticationResult(OAuth2LoginAuthenti
 							authorizationCodeAuthentication.getAuthorizationExchange(),
 							oauth2User,
 							mappedAuthorities,
-							accessToken);
+							accessToken,
+							accessTokenResponse.getRefreshToken());
 					OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
 							authenticationResult.getClientRegistration(),
 							authenticationResult.getName(),
-							authenticationResult.getAccessToken());
+							authenticationResult.getAccessToken(),
+							authenticationResult.getRefreshToken());
 					OAuth2AuthenticationToken result =  new OAuth2AuthenticationToken(
 							authenticationResult.getPrincipal(),
 							authenticationResult.getAuthorities(),

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -138,12 +138,18 @@ public OAuth2AccessTokenResponse getTokenResponse(OAuth2AuthorizationCodeGrantRe
 				accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
 		}
 
+		String refreshToken = null;
+		if (accessTokenResponse.getTokens().getRefreshToken() != null) {
+			refreshToken = accessTokenResponse.getTokens().getRefreshToken().getValue();
+		}
+
 		Map<String, Object> additionalParameters = new LinkedHashMap<>(accessTokenResponse.getCustomParameters());
 
 		return OAuth2AccessTokenResponse.withToken(accessToken)
 			.tokenType(accessTokenType)
 			.expiresIn(expiresIn)
 			.scopes(scopes)
+			.refreshToken(refreshToken)
 			.additionalParameters(additionalParameters)
 			.build();
 	}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusReactiveAuthorizationCodeTokenResponseClient.java

@@ -118,13 +118,19 @@ public Mono<OAuth2AccessTokenResponse> getTokenResponse(OAuth2AuthorizationCodeG
 									accessToken.getScope().toStringList());
 						}
 
+						String refreshToken = null;
+						if (accessTokenResponse.getTokens().getRefreshToken() != null) {
+							refreshToken = accessTokenResponse.getTokens().getRefreshToken().getValue();
+						}
+
 						Map<String, Object> additionalParameters = new LinkedHashMap<>(
 								accessTokenResponse.getCustomParameters());
 
 						return OAuth2AccessTokenResponse.withToken(accessToken.getValue())
 								.tokenType(accessTokenType)
 								.expiresIn(expiresIn)
 								.scopes(scopes)
+								.refreshToken(refreshToken)
 								.additionalParameters(additionalParameters)
 								.build();
 					});

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,7 +27,6 @@
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
-import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
@@ -142,8 +141,6 @@ public Authentication authenticate(Authentication authentication) throws Authent
 					authorizationCodeAuthentication.getClientRegistration(),
 					authorizationCodeAuthentication.getAuthorizationExchange()));
 
-		OAuth2AccessToken accessToken = accessTokenResponse.getAccessToken();
-
 		ClientRegistration clientRegistration = authorizationCodeAuthentication.getClientRegistration();
 
 		if (!accessTokenResponse.getAdditionalParameters().containsKey(OidcParameterNames.ID_TOKEN)) {
@@ -161,7 +158,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		this.validateIdToken(idToken, clientRegistration);
 
 		OidcUser oidcUser = this.userService.loadUser(
-			new OidcUserRequest(clientRegistration, accessToken, idToken));
+			new OidcUserRequest(clientRegistration, accessTokenResponse.getAccessToken(), idToken));
 
 		Collection<? extends GrantedAuthority> mappedAuthorities =
 			this.authoritiesMapper.mapAuthorities(oidcUser.getAuthorities());
@@ -171,7 +168,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			authorizationCodeAuthentication.getAuthorizationExchange(),
 			oidcUser,
 			mappedAuthorities,
-			accessToken);
+			accessTokenResponse.getAccessToken(),
+			accessTokenResponse.getRefreshToken());
 		authenticationResult.setDetails(authorizationCodeAuthentication.getDetails());
 
 		return authenticationResult;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationCodeGrantFilter.java

@@ -198,7 +198,8 @@ private void processAuthorizationResponse(HttpServletRequest request, HttpServle
 		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
 			authenticationResult.getClientRegistration(),
 			currentAuthentication.getName(),
-			authenticationResult.getAccessToken());
+			authenticationResult.getAccessToken(),
+			authenticationResult.getRefreshToken());
 
 		this.authorizedClientService.saveAuthorizedClient(authorizedClient, currentAuthentication);
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java

@@ -173,7 +173,8 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
 			authenticationResult.getClientRegistration(),
 			oauth2Authentication.getName(),
-			authenticationResult.getAccessToken());
+			authenticationResult.getAccessToken(),
+			authenticationResult.getRefreshToken());
 
 		this.authorizedClientService.saveAuthorizedClient(authorizedClient, oauth2Authentication);