AuthenticationPrincipalArgumentResolver has an outdated Authentication when OIDC ID Token is updated after refresh token #18168
Description
Hi,
In a plain oauth2Login() application (keycloak as IDP for example), after #16589 has been implemented, consider the following example :
@PostMapping("/fast")
public Map<String, Object> getOidcUserPrincipal @AuthenticationPrincipal OidcUser principal1) {
var principal2 = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
return principal1.getClaims();
}Once the OidcUserRefreshedEventListener#onApplicationEventhas been triggered, it's already too late for the AuthenticationPrincipalArgumentResolverto get the updated value, as it's not aware of the OidcUserRefreshedEvent.
So in the example above, with a very short Access Token Lifespan (let's say 2 minutes), principal1 might get the "before" refresh ID Token, whereas principal2 has the up-to-date value.
Shoot the endpoint before the refresh happens, values are in sync, wait a little, they are out-of-sync and so on.
Hope this is clear.
Thanks