Core: Fix optionalOAuthParams dropped during non-exchange token refresh#16023
Open
bharos wants to merge 1 commit intoapache:mainfrom
Open
Core: Fix optionalOAuthParams dropped during non-exchange token refresh#16023bharos wants to merge 1 commit intoapache:mainfrom
bharos wants to merge 1 commit intoapache:mainfrom
Conversation
…sh (apache#16022) When token-exchange-enabled=false, the non-exchange refresh paths in both refreshToken() and refreshExpiredToken() passed ImmutableMap.of() instead of the available optionalOAuthParams. This caused audience, resource, and other optional OAuth parameters to be silently dropped on every token refresh after the initial fetch. Fix: pass optionalOAuthParams at both call sites instead of ImmutableMap.of().
Contributor
Author
|
cc @adutra please review , thanks! |
adutra
reviewed
Apr 18, 2026
| argThat( | ||
| formData -> | ||
| CLIENT_CREDENTIALS.equals(formData.get(GRANT_TYPE)) | ||
| && audience.equals(formData.get("audience"))), |
Contributor
There was a problem hiding this comment.
It's a bit odd to have the audience parameter propagated on a client_credentials grant request, but I guess it's too convoluted to distinguish which optional parameters should be included depending on the grant. And most IDPs would just ignore this parameter, I guess (except Okta / Auth0).
Contributor
There was a problem hiding this comment.
Also, shouldn't you assert that the scope is present too?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #16022
When
exchangeEnabledis false, bothrefreshExpiredToken()and the staticrefreshToken()were callingfetchToken()with an empty map instead of forwardingoptionalOAuthParams(which carriesaudience,resource,scope).This was introduced in #14059 when the deprecated 5-arg
fetchToken()overloads were removed and the 6-arg calls were inlined withImmutableMap.of()instead of the availableoptionalOAuthParams.The initial token fetch passes the params correctly, so the first token works. After expiry, the refreshed token is missing the audience/scope, causing 401/403 errors.
Fix: Pass
optionalOAuthParamsinstead ofImmutableMap.of()/Map.of()in the two non-exchange branches.Tests: Two new tests in
TestOAuth2Utilverify thataudienceappears in the token request form data for both the expired-token and proactive-refresh paths.