OAuth2AuthorizedClient doesn't get removed when 403 returned by Resource Server #13437
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
status: feedback-provided
Feedback has been provided
type: enhancement
A general enhancement
Describe the bug
when configuring
WebClient
usingServerOAuth2AuthorizedClientExchangeFilterFunction
withAuthorizedClientServiceReactiveOAuth2AuthorizedClientManager
, if the resource server returns 403, theOAuth2AuthorizedClient
doesn't get removed.To Reproduce
when using the above
oauth2WebClient
to make a call to a resource server, the resource server returns 403.A subsequence call to the resource server uses the old access token.
Expected behavior
when using the above
oauth2WebClient
to make a call to a resource server, the resource server returns 403.A subsequence call to the resource server should retrieve a new access token from the authorization server.
Initial thoughts
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
is initialized withDEFAULT_REMOVE_AUTHORIZED_CLIENT_ERROR_CODES
which contains onlyINVALID_TOKEN
andINVALID_GRANT
. However, with 403 returned by the resource server,ServerOAuth2AuthorizedClientExchangeFilterFunction#AuthorizationFailureForwarder
maps 403 toINSUFFICIENT_SCOPE
. This causes conditionhasRemovalErrorCode()
inRemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler#onAuthorizationFailure
not satisfy henceOauth2AuthorizedClient
doesn't get removed.spring-security/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler.java
Lines 113 to 120 in 1ff5eb6
Work Around
The text was updated successfully, but these errors were encountered: