Oauth 2 spring RestTemplate login with refresh token

Question

What I wanna achieve

So I have a client application in java (JavaFX + Spring-boot hybrid-application). You can have a look at it here https://github.com/FAForever/downlords-faf-client . So till now we stored username/ password if the user wished to be kept logged in which is obviously a pretty bad idea. So now I wanna store the refreshtoken and then log the user in with that.

What it looks like now See here

ResourceOwnerPasswordResourceDetails details = new ResourceOwnerPasswordResourceDetails();
details.setClientId(apiProperties.getClientId());
details.setClientSecret(apiProperties.getClientSecret());
details.setClientAuthenticationScheme(AuthenticationScheme.header);
details.setAccessTokenUri(apiProperties.getBaseUrl() + OAUTH_TOKEN_PATH);
details.setUsername(username);
details.setPassword(password);

OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(details);

restOperations = templateBuilder
    // Base URL can be changed in login window
    .rootUri(apiProperties.getBaseUrl())
    .configure(restTemplate);

What I found so far

I found out that restTemplate.getAccessToken().getRefreshToken() will give me the refreshtoken I want to save and later so to keep the user logged in.

What I can not figure out

I can not find a way to create a OAuth2RestTemplate with an refresh token only. Is that even possible? Can someone point me in the right direction? Maybe link me some articles to read? Is this the right place to read?

Answer 1

I do not think this is possible with an OAuth2RestTemplate, but you can reimplement the desired parts yourself. I'd like to share an example with your for OAuth password login to Microsofts flavour of OAuth2 (Azure Active Directory). It does miss the piece of fetching a new token from an existing refresh token yet, but I added a comment where you need to add it.

A simple way to mimic OAuthRestTemplates behavior is a custom ClientHttpRequestInterceptor which delegates the token fetching to a dedicated Spring service component, that you append to your RestTemplate:

@RequiredArgsConstructor
@Slf4j
public class OAuthTokenInterceptor implements ClientHttpRequestInterceptor {
  private final TokenService tokenService;

  @NotNull
  @Override
  public ClientHttpResponse intercept(HttpRequest request, byte[] body,
                                      ClientHttpRequestExecution execution) throws IOException {
    request.getHeaders().add("Authorization", "Bearer " + tokenService.getRefreshedToken().getValue());
    return execution.execute(request, body);
  }
}

This interceptor can be added to your primary RestTemplate:

List<ClientHttpRequestInterceptor> interceptors = new ArrayList<>();
interceptors.add(globalOAuthTokenInterceptor);
restTemplate.setInterceptors(interceptors);

The token service used in the interceptor holds the token in a cache and on request checks for the expiry of the token and if required queries a new one.

@Service
@Slf4j
public class TokenService {
  private final TokenServiceProperties tokenServiceProperties;
  private final RestTemplate simpleRestTemplate;
  private OAuth2AccessToken tokenCache;

  public TokenService(TokenServiceProperties tokenServiceProperties) {
    this.tokenServiceProperties = tokenServiceProperties;

    simpleRestTemplate = new RestTemplateBuilder().
        build();
  }

  public OAuth2AccessToken getRefreshedToken() {
    if (tokenCache == null || tokenCache.isExpired()) {
      log.debug("Token expired, fetching new token");
      tokenCache = refreshOAuthToken();
    } else {
      log.debug("Token still valid for {} seconds", tokenCache.getExpiresIn());
    }

    return tokenCache;
  }

  public OAuth2AccessToken loginWithCredentials(String username, String password) {
    HttpHeaders headers = new HttpHeaders();
    headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
    headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8));

    MultiValueMap<String, String> map = new LinkedMultiValueMap<>();
    map.add("grant_type", "password");
    map.add("resource", tokenServiceProperties.getAadB2bResource());
    map.add("client_id", tokenServiceProperties.getAadB2bClientId());
    map.add("username", username);
    map.add("password", password);

    HttpEntity<MultiValueMap<String, String>> request = new HttpEntity<>(map, headers);

    return simpleRestTemplate.postForObject(
        tokenServiceProperties.getAadB2bUrl(),
        request,
        OAuth2AccessToken.class
    );
  }

  private OAuth2AccessToken refreshOAuthToken() {
    return loginWithRefreshToken(tokenCache.getRefreshToken().getValue());
  }

  public OAuth2AccessToken loginWithRefreshToken(String refreshToken) {
    // add code for fetching OAuth2 token from refresh token here
    return null;
  }
}

In this code example you would once login using username and password and afterwards all further logins would be using the refresh token. If you want to use the refresh token directly, you use the public method, otherwise it will be done internally. Since the login code is specifically written for login to Microsoft AAD, you should recheck the MultiValueMap parameters.

TokenServiceProperties are straightforward:

@Data
public class TokenServiceProperties {
    private String aadB2bUrl;
    private String aadB2bClientId;
    private String aadB2bResource;
}

Adapt them if needed.

The whole solution has one minor drawback: Instead of one RestTemplate that you usually fetch via depency injection, you now need a second one (a "simple" one) to fetch the OAuth token. In this example we create it in the constructor of the TokenService. However this is in general bad style as it makes it harder for unit testing etc. You could also think about using qualified beans or using a more basic http client in the TokenService.

Another important thing to note: I am using the spring-security-oauth2 package here. If you did not configure Spring Security in your project, this will trigger Spring Security auto-configuration which might not be desired - you can solve this by excluding undesired packages, e.g. in gradle:

implementation("org.springframework.security.oauth:spring-security-oauth2") {
    because "We only want the OAuth2AccessToken interface + implementations without activating Spring Security"
    exclude group: "org.springframework.security", module: "spring-security-web"
    exclude group: "org.springframework.security", module: "spring-security-config"
    exclude group: "org.springframework.security", module: "spring-security-core"
}