OAuth2AccessTokenResponse.Builder does not set expiresAt from refresh token

[MatCuk]

Describe the bug
OAuth2RefreshToken always sets expiresAt to null
https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2RefreshToken.java

To Reproduce
Have refresh token with "exp" field set.

Expected behavior
org.springframework.security.oauth2.core.OAuth2RefreshToken should have expiresAt set from JWT.

Sample
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJtYXRjdWsiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYXRpIjoiZDcyMzgxNDUtMDIzZS00ZWMzLTk0MDItMzAyMDVjM2JlNGJjIiwiZXhwIjoxNTkyMzU2OTAzLCJqdGkiOiI1OTcxZWI3ZS1kOTYyLTRiZmMtODJmYS1kZDYyZTc2NjQ3ZGEifQ.QgQYBkOdkxzuulo9Ka0k9GlRRCXxY1WCTY52zF9Geg0

{ "user_name": "matcuk", "scope": [ "read", "write" ], "ati": "d7238145-023e-4ec3-9402-30205c3be4bc", "exp": 1592356903, "jti": "5971eb7e-d962-4bfc-82fa-dd62e76647da" }

So to me it looks like exp field is ignored in case of refresh token.

Note that access token would have different expiresAt (5 minutes vs 12 hours).

[jgrandja]

@MatCuk

As per spec, in Section 5.1. Successful Response, the expires_in parameter is the lifetime in seconds for the access token. There is no equivalent for expires_in for refresh_token.

I'm going to close this as "implemented per spec".

[MatCuk]

Hi, ok thanks for reply. Then it seems the app is setting expires at to refresh token and rejecting it after that even it should not. Is there any simple way to handle this on client side? Like to evict refresh token. Implement custom ReactiveClientRegistrationRepository ?

[jgrandja]

@MatCuk I don't fully understand...

it seems the app is setting expires at to refresh token and rejecting it after that even it should not

Can you put together a minimal sample that reproduces the issue so I can better understand the issue you are facing?

[windmueller]

@jgrandja I am a bit confused here. Expiration support for refresh tokens has been added with #9146. However, OAuth2AccessTokenResponse still sets the expiration date to null.