Is it possible to add a callback after the sendAccessTokenResponse method of accessTokenResponseHandler?

[jacko9et]

Is it possible to add a callback after the sendAccessTokenResponse method of accessTokenResponseHandler?
I don't want to change the default behavior, I just want to clean up the session after the response is successful, so that every time the /oauth2/authorize endpoint is triggered, it will re-login.

[jgrandja]

@jacko9et I'm not understanding your question.

add a callback after the sendAccessTokenResponse method of accessTokenResponseHandler?

This is referring to the token endpoint.

every time the /oauth2/authorize endpoint is triggered, it will re-login

And this is referring to the authorization endpoint.

Can you provide more details and please be specific on exactly what you are trying to implement. Thanks.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[ramonmalcolm10]

He want the user to re-authenticate every time they are redirected to the OAuth server.
The approach that most OAuth sever normally take is to allow the client to pass a query parameter name prompt with the value login to trigger the re-authentication.
It would be good if this feature can be added in the future.

[jgrandja]

@ramonmalcolm10 What you described does not sound like what @jacko9et is asking. Your description sounds very much like gh-501.

I will wait for @jacko9et to respond.

[jacko9et]

Sorry for the late reply.
Now if the first visit to the /oauth2/authorize endpoint is not authenticated, it will be redirected to the login page to log in, and after the authentication is passed, the second visit to the /oauth2/authorize endpoint will automatically pass the authentication provided by the session with the authentication information.
I hope that every time I visit the /oauth2/authorize endpoint, I need to re-authenticate without being affected by the session.

Because the session is needed to store the state in the process, I think the session needs to be cleaned up after the client obtains the token. The default accessTokenResponseHandler cannot be extended using a delegate class without changing the default behavior. I don't think it's a problem to close the modification, but the extension cannot reuse the code because of insufficient scalability. It is proposed to add a callback method after accessTokenResponseHandler to provide sufficient scalability.

[jgrandja]

@jacko9et Thanks for the explanation.

I hope that every time I visit the /oauth2/authorize endpoint, I need to re-authenticate without being affected by the session.

The OpenID Connect 1.0 parameter prompt with a value of login implements the re-authenticate feature. We have an open issue gh-501 that will address this feature.

The default accessTokenResponseHandler cannot be extended using a delegate class without changing the default behavior. I don't think it's a problem to close the modification, but the extension cannot reuse the code

authorizationServerConfigurer.tokenEndpoint.accessTokenResponseHandler() is the main extension point for customization after the authorization grant flow is completed. I realize you would need to duplicate the code in sendAccessTokenResponse() and add your customization on top of that but it can be done today to move your forward. We will be looking at simplifying this and allowing for reuse in gh-925.

I'll close this as a duplicate of gh-501 and/or gh-925.