Skip to content

simple-ui: improve the oidc id token refresh #2534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Sep 5, 2025
Merged

simple-ui: improve the oidc id token refresh #2534

merged 8 commits into from
Sep 5, 2025
+15 −42

Conversation

zeapo
Copy link
Contributor

@zeapo zeapo commented Jul 4, 2025
edited
Loading

After the upgrade to Spring Boot 3.5.x, the authorized client manager will attempt a refresh of the oidc id token.

Sadly, I thought that it would be a simple clean replacement of the previous hackish code. However, it looks like vaadin does not like the SpringContextHolder.setContext() hacks (if you guys have a solution I'm all ears). Here's what happens when the token expires:

  • We get to the interceptor, it calls getToken, which detecting that the token expired will call a refresh
  • During the refresh, spring security will try to reload the oidc user, we end up in the OidcUserService bean which is going to try to refresh the user
  • In that exact bean, sadly, we tried to fetch the rights of the user , which in turn will call the interceptor, and we loop again!

Unfortunately, i'm unable to make the SpringContextHolder clear and use the temporary context in this situation, regardless of changing the strategy, the interceptor is always using the previous context.

To remediate this, I went with a bandaid, I fetch the previous user and re-use its grants; this works! But it is not the ideal solution :)

Here's an example of how it works, it refreshes properly:

Screen.Recording.2025-07-07.at.15.40.36.mov

@zeapo zeapo marked this pull request as ready for review July 7, 2025 13:47
@avgustinmm
Copy link
Contributor

@zeapo ,
is this PR finalized? Working, for review and for eventual merge?

@zeapo
Copy link
Contributor Author

zeapo commented Jul 14, 2025
edited
Loading

@avgustinmm hey, it's done. I've been testing it for a while on our deployment.

I'm off for the next two weeks, won't be able to test changes on my work environment.

@zeapo
Copy link
Contributor Author

zeapo commented Jul 27, 2025

Please let me know if anything is missing :)

avgustinmm
avgustinmm previously requested changes Jul 28, 2025
View reviewed changes
@zeapo zeapo force-pushed the feature/fix-oauth-hack branch from 66938d9 to 5c19021 Compare August 25, 2025 12:04
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

flobz
flobz reviewed Sep 1, 2025
View reviewed changes
hawkbit-simple-ui/src/main/java/org/eclipse/hawkbit/ui/simple/security/OAuth2TokenManager.java

// This ensures that there is a client already, otherwise we won't be able to call the manager for authorization
OAuth2AuthorizedClient authorizedClient = clientService.loadAuthorizedClient(registrationId, authentication.getName());
if (authorizedClient == null) return null;
if (authorizedClient == null) return currentToken;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If client isn't found why return a token ?

Copy link
Contributor Author

@zeapo zeapo Sep 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hehe, this is the tricky parts of how simple-ui rights are working. It hijacks the authentication process, hence the initial step where it fetches the rights to create the authorities, the authorizedClient does not exist.

That's why this OIDC process is much more complex than it should've been.

image Screenshot 2025-09-01 at 14 31 10

desislava-marinova
desislava-marinova approved these changes Sep 4, 2025
View reviewed changes
Copy link

@desislava-marinova desislava-marinova left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@avgustinmm avgustinmm dismissed their stale review September 5, 2025 08:08

fixed after

@avgustinmm avgustinmm merged commit 4b6b175 into eclipse-hawkbit:master Sep 5, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avgustinmm avgustinmm avgustinmm left review comments

+2 more reviewers

@flobz flobz flobz left review comments

@desislava-marinova desislava-marinova desislava-marinova approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zeapo @avgustinmm @desislava-marinova @flobz