Access token not available for building refresh token jwtsΒ #2109
Description
Describe the bug
In Spring Security, refresh tokens contained 'ati', and its validation is performed here.
In order to provide a clean migration from our AuthServer based on Spring Security, we've recreated the password grant type with proper customizers and everything works fine. However, the OAuth2RefreshTokenAuthenticationProvider does not build the context for refresh tokens with the access token, hence the token generator can't add 'ati' claim from access token 'jti'.
By adding this one line authorization(authorizationBuilder.build()) here we can keep compatibility and ensure a smooth transition:
// ----- Refresh token -----
OAuth2RefreshToken currentRefreshToken = refreshToken.getToken();
if (!registeredClient.getTokenSettings().isReuseRefreshTokens()) {
tokenContext = tokenContextBuilder
.tokenType(OAuth2TokenType.REFRESH_TOKEN)
.authorization(authorizationBuilder.build()) // allows retrieving access token 'jti' for setting refresh token 'ati' claim
.build();
final OAuth2Token generatedRefreshToken = this.tokenGenerator.generate(tokenContext);
....
Without this one line, we have to duplicate the complete OAuth2RefreshTokenAuthenticationProvider and OAuth2AuthenticationProviderUtils classes and and configure it as a authenticationProvider, because it's all final and protected.
To Reproduce
Expected behavior
Access token is available in token context for refresh token generator or a hook is available for doing so without need to duplicate internal code.
Sample