I am working on implementing access and refresh tokens with OAuth 2.0. I have implemented a custom grant type, and I can renew the access token using a refresh token with a combination of already existing OAuth2RefreshTokenAuthenticationConverter
and OAuth2RefreshTokenAuthenticationProvider
. The problem is that, before granting a new access token, I need to call the database to verify that the user is still active and perform additional checks (e.g., to determine if they have lost their login eligibility in the meantime). I also need access to the user’s username which is not sent on the refresh token request.
I’ve tried to implement a OncePerRequest
filter, but I have no access to the user’s username, only to the refresh token, grant type, and scope.
I also considered copying the entire OAuth2RefreshTokenAuthenticationConverter
and adjusting it accordingly. However, I would like to avoid creating a copy of the converter due to maintainability concerns.
Thanks in advance!
Filip is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.