Skip to content

Add request validator for refresh token grant #18098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add request validator for refresh token grant #18098

wants to merge 1 commit into from
+246 −50

Conversation

@therepanic
Copy link
Contributor

@therepanic therepanic commented Oct 22, 2025

Recently, I needed to use custom logic for validation, but this was not possible without making changes to the current code. Here, I presented an interface strategy that can be replaced with a custom one via a setter if desired. This is described here: spring-projects/spring-authorization-server#1941, and also here #18018 (comment).

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 22, 2025
@therepanic therepanic force-pushed the add-generic-request-validator-for-refresh-token branch 4 times, most recently from bb9e067 to a7abc94 Compare October 22, 2025 14:19
@therepanic
Add generic request validator for refresh token
dcc85d8 
Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
@therepanic therepanic force-pushed the add-generic-request-validator-for-refresh-token branch from a7abc94 to dcc85d8 Compare October 22, 2025 15:03
@jgrandja jgrandja changed the title Add generic request validator for refresh token Add request validator for refresh token grant Oct 31, 2025
@jgrandja jgrandja self-assigned this Oct 31, 2025
@jgrandja jgrandja added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 31, 2025
@jgrandja jgrandja added this to the 7.1.0-M1 milestone Oct 31, 2025
@jgrandja
Copy link
Contributor

jgrandja commented Oct 31, 2025

Thanks for the PR @therepanic. I'll review this after we release 7.0. In the meantime, when you have a moment, please add tests. Thank you.

@jgrandja jgrandja mentioned this pull request Nov 12, 2025
Open
@makcpopTwo
Copy link

makcpopTwo commented Nov 18, 2025

Copying my thoughts from: #18018

My case: I have custom DPoP and refresh token mapping, so I need the ability to override the extraction of the thumbprint from the refresh token.

Currently, I would need to duplicate some common parts of the DPoP validation in my own code (retrieving the DPoP from the context/authentication, verifying DPoP and ClientAuthenticationMethod, parsing the JWT, computing the thumbprint, comparing thumbprints). All of these are quite standard procedures defined by the RFC, and I’d prefer not to duplicate this logic in my validator — I only need to specify how the thumbprint should be extracted from the authentication (i.e., the refresh token).

If I completely override the validator, I might miss some validation logic that could be added to it in the future.

If it would be helpful, I can reference the relevant RFC parts to clarify which parts of the code are standardized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jgrandja jgrandja

Labels

in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement

Projects

None yet

Milestone

7.1.0-M1

Development

Successfully merging this pull request may close these issues.

4 participants

@therepanic @jgrandja @makcpopTwo @spring-projects-issues