Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Show the use of token properties in authorization server clients configuration example #44990

Open
OrangeDog opened this issue Apr 3, 2025 · 4 comments
Open

Show the use of token properties in authorization server clients configuration example #44990

OrangeDog opened this issue Apr 3, 2025 · 4 comments
Labels
type: documentation A documentation update
Milestone
3.3.x

Comments

@OrangeDog
Copy link
Contributor

Spring Authorization Server allows defining per-client token settings.
spring-projects/spring-authorization-server#1385 (comment)

However, Boot's OAuth2AuthorizationServerProperties does not expose this. I'd like to see something like this:

spring.security.oauth2.authorizationserver.client:
  my-client:
    client-id: 41fd9212-dc6f-4ced-a7a8-e6431a3f49da
    client-secret: '{noop}secret'
    tokens:
      authorization-code-time-to-live: 5m
      access-token-time-to-live: 10m
      access-token-format: reference
      reuse-refresh-tokens: false
      refresh-token-time-to-live: 28d

Possibly an ability to set a default for all clients too.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 3, 2025
@wilkinsona
Copy link
Member

wilkinsona commented Apr 3, 2025
edited
Loading

As far as I can tell, we already have the per-client properties:

spring-boot/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java

Lines 459 to 488 in 05a9521

/**
* Time-to-live for an authorization code.
*/
private Duration authorizationCodeTimeToLive = Duration.ofMinutes(5);
/**
* Time-to-live for an access token.
*/
private Duration accessTokenTimeToLive = Duration.ofMinutes(5);
/**
* Token format for an access token.
*/
private String accessTokenFormat = "self-contained";
/**
* Time-to-live for a device code.
*/
private Duration deviceCodeTimeToLive = Duration.ofMinutes(5);
/**
* Whether refresh tokens are reused or a new refresh token is issued when
* returning the access token response.
*/
private boolean reuseRefreshTokens = true;
/**
* Time-to-live for a refresh token.
*/
private Duration refreshTokenTimeToLive = Duration.ofMinutes(60);

The yaml to configure them would be something like this:

spring.security.oauth2.authorizationserver.client:
  my-client:
    token:
      authorization-code-time-to-live: 5m
      access-token-time-to-live: 10m
      access-token-format: reference
      reuse-refresh-tokens: false
      refresh-token-time-to-live: 28d

The metadata and documentation for them is lacking at the moment. #9945 will help with that in time.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Apr 3, 2025
@OrangeDog
Copy link
Contributor Author

Ah I see, that's good news.
For some reason, my IDE (IDEA Ultimate) knows about the other client properties, but not token.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 3, 2025
@wilkinsona
Copy link
Member

I would report that to Jetbrains. As I understand it, they do not use the metadata but instead introspect the types to which the properties are bound. As such, I'd expect IDEA ultimate to be able to offer auto-complete for the token properties.

@wilkinsona
Copy link
Member

We can improve the documentation by adding the token properties to the example in this existing section.

@wilkinsona wilkinsona added type: documentation A documentation update and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Apr 4, 2025
@wilkinsona wilkinsona added this to the 3.3.x milestone Apr 4, 2025
@wilkinsona wilkinsona changed the title Add application properties for org.springframework.security.oauth2.server.authorization.settings.TokenSettings Show the use of token properties in authorization server clients configuration example Apr 4, 2025
@ngocnhan-tran1996 ngocnhan-tran1996 mentioned this issue Apr 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: documentation A documentation update
Projects
None yet
Milestone
3.3.x
Development

No branches or pull requests
3 participants
@OrangeDog @wilkinsona @spring-projects-issues