spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Consider adding support for requesting refresh_token with offline_access scope

Open nverbos-godaddy opened this issue 2 years ago • 5 comments

Expected Behavior I want to add support for the offline_access scope as described in the openid-connect rfc. When the offline_access scope is requested, then a refresh token is issued.

Current Behavior Currently the spring-authorization-server project issues a refresh token when a RegisteredClient contains AuthorizationGrantType.REFRESH_TOKEN. I would like to change this behavior so that the the client must request the offline_access scope in order for a refresh token to be issued.

Context What is the best way to add support for this? Initially, I tried copying all of the code from OAuth2AuthorizationCodeAuthenticationProvider into my own custom implementation and edited the conditional statement that determines whether or not refresh token should be issued. However, I would like to avoid copying and overriding this for maintainability reasons. Is there a way to customize this for our implementation? Is this a feature that we could add to directly to the spring-authorization-server project?

Related spring-projects/spring-authorization-server#501 spring-projects/spring-authorization-server#1430

nverbos-godaddy avatar Oct 23 '23 20:10 nverbos-godaddy

@nverbos-godaddy

I would like to change this behavior so that the the client must request the offline_access scope in order for a refresh token to be issued

Can you provide more details on your use case? Why do you need to change this behaviour?

I tried copying all of the code from OAuth2AuthorizationCodeAuthenticationProvider into my own custom implementation and edited the conditional statement that determines whether or not refresh token should be issued

In order to support the offline_access scope within the framework, there are a few other requirements that need to be considered, for example:

MUST ensure that the prompt parameter contains consent

FYI, the prompt parameter is currently not supported either spring-projects/spring-authorization-server#501

jgrandja avatar Oct 27 '23 14:10 jgrandja

Can you provide more details on your use case? Why do you need to change this behaviour?

We want clients to explicitly request a refresh token, only when it is needed. We also want to display special text to users on the consent page when offline_access is requested. The special text on the consent page will let our users know that this client application will maintain access to their account, even when they are offline and not using the app. When the app does not need a refresh token, then it does not include the offline_access and we do not need to display this special text on the consent page.

nverbos-godaddy avatar Oct 27 '23 18:10 nverbos-godaddy

@nverbos-godaddy Thanks for the extra details. We will consider adding this enhancement depending on demand, which we assess based on upvotes on this issue.

Is there a way to customize this for our implementation?

Please keep track of spring-projects/spring-authorization-server#1430 as it will likely provide a hook that will allow you to customize and implement offline_access in your application.

jgrandja avatar Oct 31 '23 09:10 jgrandja

@nverbos-godaddy Please take a look at spring-projects/spring-authorization-server#1432, specifically this commit as it provides 2 tests that demonstrate how you can customize and implement partial support for offline_access in your application.

jgrandja avatar Nov 02 '23 19:11 jgrandja

This issue was transferred from spring-projects/spring-authorization-server (see spring-authorization-server#2195)

jgrandja avatar Dec 10 '25 10:12 jgrandja