(sling-org-apache-sling-auth-oauth-client) 02/02: SLING-12975 - Refreshing OAuth access tokens can remove current refresh token

Tue, 21 Oct 2025 07:38:55 -0700 

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to branch issue/SLING-12975
in repository 
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-oauth-client.git

commit 1a09377914873a11e5d7bb505339b5fafc9cb18d
Author: Robert Munteanu <[email protected]>
AuthorDate: Tue Oct 21 16:37:35 2025 +0200

    SLING-12975 - Refreshing OAuth access tokens can remove current refresh 
token
    
    Ensure that the old refresh token is preserved if none is returned after 
the tokens have been refreshed.
---
 .../org/apache/sling/auth/oauth_client/impl/TokenAccessImpl.java    | 5 +++++
 .../org/apache/sling/auth/oauth_client/TokenAccessImplTest.java     | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git 
a/src/main/java/org/apache/sling/auth/oauth_client/impl/TokenAccessImpl.java 
b/src/main/java/org/apache/sling/auth/oauth_client/impl/TokenAccessImpl.java
index 5d375f7..c19c805 100644
--- a/src/main/java/org/apache/sling/auth/oauth_client/impl/TokenAccessImpl.java
+++ b/src/main/java/org/apache/sling/auth/oauth_client/impl/TokenAccessImpl.java
@@ -82,6 +82,11 @@ public class TokenAccessImpl implements OAuthTokenAccess {
                 }
 
                 OAuthTokens newTokens = 
tokenRefresher.refreshTokens(connection, refreshToken.getValue());
+                if (newTokens.refreshToken() == null) {
+                    // retain old refresh token if none was returned
+                    newTokens =
+                            new OAuthTokens(newTokens.accessToken(), 
newTokens.expiresAt(), refreshToken.getValue());
+                }
                 tokenStore.persistTokens(connection, resolver, newTokens);
 
                 // FIXME: newTokens.accessToken() may return null -> NPE
diff --git 
a/src/test/java/org/apache/sling/auth/oauth_client/TokenAccessImplTest.java 
b/src/test/java/org/apache/sling/auth/oauth_client/TokenAccessImplTest.java
index 5e97d60..8beb4bf 100644
--- a/src/test/java/org/apache/sling/auth/oauth_client/TokenAccessImplTest.java
+++ b/src/test/java/org/apache/sling/auth/oauth_client/TokenAccessImplTest.java
@@ -99,6 +99,12 @@ class TokenAccessImplTest {
             
assertThat(tr.getTokenValue()).as("tokenValue").isEqualTo(refreshedTokens.accessToken());
             assertThrows(IllegalStateException.class, tr::getRedirectUri, 
"getRedirectUri");
         });
+
+        assertThat(tokenStore
+                        
.getRefreshToken(MockOidcConnection.DEFAULT_CONNECTION, 
slingContext.resourceResolver())
+                        .getValue())
+                .as("refresh token after refresh")
+                .isEqualTo(expiredTokens.refreshToken());
     }
 
     private static @NotNull TokenAccessImpl getTokenAccess(

Reply via email to