fix: Allow OidcAuthorizedClientRefreshedEventListener refreshing if authentication subclasses OAuth2AuthenticationToken

Signed-off-by: Michel Palourdio <[email protected]>

Author: mpalourdio

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcUserRefreshedEventListenerConfigurationTests.java

@@ -232,16 +232,19 @@ public void authorizeWhenAuthenticationIsNotOAuth2ThenOidcUserNotRefreshed() {
 	}
 
 	@Test
-	public void authorizeWhenAuthenticationIsCustomThenOidcUserNotRefreshed() {
+	public void authorizeWhenAuthenticationIsCustomThenOidcUserRefreshed() {
 		this.spring.register(OAuth2LoginWithOAuth2ClientConfig.class).autowire();
 
 		OAuth2AuthorizedClient authorizedClient = createAuthorizedClient();
 		OAuth2AccessTokenResponse accessTokenResponse = createAccessTokenResponse(OidcScopes.OPENID);
+		Jwt jwt = createJwt().build();
 		given(this.authorizedClientRepository.loadAuthorizedClient(anyString(), any(Authentication.class),
 				any(HttpServletRequest.class)))
 			.willReturn(authorizedClient);
 		given(this.refreshTokenAccessTokenResponseClient.getTokenResponse(any(OAuth2RefreshTokenGrantRequest.class)))
 			.willReturn(accessTokenResponse);
+		given(this.jwtDecoder.decode(anyString())).willReturn(jwt);
+		given(this.oidcUserService.loadUser(any(OidcUserRequest.class))).willReturn(createOidcUser());
 
 		OidcUser oidcUser = createOidcUser();
 		OAuth2AuthenticationToken authentication = new CustomOAuth2AuthenticationToken(oidcUser,
@@ -255,7 +258,10 @@ public void authorizeWhenAuthenticationIsCustomThenOidcUserNotRefreshed() {
 			.build();
 		OAuth2AuthorizedClient refreshedAuthorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
 		assertThat(refreshedAuthorizedClient).isNotNull();
-		verifyNoInteractions(this.securityContextRepository, this.jwtDecoder, this.oidcUserService);
+		assertThat(refreshedAuthorizedClient).isNotSameAs(authorizedClient);
+		assertThat(refreshedAuthorizedClient.getClientRegistration()).isEqualTo(GOOGLE_CLIENT_REGISTRATION);
+		assertThat(refreshedAuthorizedClient.getAccessToken()).isEqualTo(accessTokenResponse.getAccessToken());
+		assertThat(refreshedAuthorizedClient.getRefreshToken()).isEqualTo(accessTokenResponse.getRefreshToken());
 	}
 
 	@Test

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java

@@ -106,11 +106,10 @@ public void onApplicationEvent(OAuth2AuthorizedClientRefreshedEvent event) {
 
 		// The current authentication must be an OAuth2AuthenticationToken
 		Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
-		if (!(authentication instanceof OAuth2AuthenticationToken authenticationToken)
-				|| authenticationToken.getClass() != OAuth2AuthenticationToken.class) {
+		if (!(authentication instanceof OAuth2AuthenticationToken authenticationToken)) {
 			// This event listener only handles the default authentication result. If the
-			// application customizes the authentication result, then a custom event
-			// handler should be provided.
+			// application customizes the authentication result by not subclassing
+			// OAuth2AuthenticationToken, then a custom event handler should be provided.
 			return;
 		}
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListenerTests.java

@@ -239,19 +239,20 @@ public void onApplicationEventWhenAuthenticationIsNotOAuth2ThenOidcUserRefreshed
 	}
 
 	@Test
-	public void onApplicationEventWhenAuthenticationIsCustomThenOidcUserRefreshedEventNotPublished() {
+	public void onApplicationEventWhenAuthenticationIsSubclassedThenOidcUserRefreshedEventPublished() {
 		OAuth2AuthenticationToken authentication = new CustomOAuth2AuthenticationToken(this.oidcUser,
 				this.oidcUser.getAuthorities(), this.clientRegistration.getRegistrationId());
 		SecurityContextImpl securityContext = new SecurityContextImpl(authentication);
 		given(this.securityContextHolderStrategy.getContext()).willReturn(securityContext);
+		given(this.jwtDecoder.decode(anyString())).willReturn(this.jwt);
+		given(this.userService.loadUser(any(OidcUserRequest.class))).willReturn(this.oidcUser);
 
 		OAuth2AuthorizedClientRefreshedEvent authorizedClientRefreshedEvent = new OAuth2AuthorizedClientRefreshedEvent(
 				this.accessTokenResponse, this.authorizedClient);
 		this.eventListener.onApplicationEvent(authorizedClientRefreshedEvent);
 
-		verify(this.securityContextHolderStrategy).getContext();
-		verifyNoMoreInteractions(this.securityContextHolderStrategy);
-		verifyNoInteractions(this.jwtDecoder, this.userService, this.applicationEventPublisher);
+		verify(this.applicationEventPublisher).publishEvent(any(OidcUserRefreshedEvent.class));
+		verifyNoMoreInteractions(this.applicationEventPublisher);
 	}
 
 	@Test