Description
Summary
When a WebClient (configured with ServletOAuth2AuthorizedClientExchangeFilterFunction) automatically refresh an access token using an available refresh token, the refresh token may be lost, preventing any further refresh.
This happen when the authorization server doesn't return the refresh token on the Token Endpoint response (Which is the case of Google)
This issue seems to be the same than this one on the old Spring Security Oauth module : spring-attic/spring-security-oauth#712
Actual Behavior
On a Spring Boot Application using Spring Security 5, OAuth2 AuthorizedClient feature (with authorization code grant type)
And with a custom OAuth2AuthorizedClientService implementation that can persist AuthorizedClient durably (in a file for me)
When a user authorizes the application to access its Google resources : an AuthorizedClient with an access_token and a refresh_token is stored in OAuth2AuthorizedClientService.
After that the application can access theses Google resources correctly with a webClient configured with ServletOAuth2AuthorizedClientExchangeFilterFunction.
Later (more than 1 hour), another access to its Google resources triggers a token refresh : this works but Google doesn't send another refresh_token (the old one is still valid). Consequently, the new persisted AuthorizedClient in OAuth2AuthorizedClientService doesn't have any refresh token.
More than another hour later : another access to the user's Google resources fails because the WebClient doesn't have any refresh token anymore to refresh the old access token.
( Note : with Google, it's should be necessary to use the param access_type=offline to get a durable refresh_token. So #5760 is necessary)
Expected Behavior
Expected Behavior is that when refreshing the access token for the first time, the old refresh_token is saved (if no new refresh_token is provided), so that it is possible to refresh the access_token more than once after ( and as long as the refresh_token is still valid )
Version
Spring Security 5.2.0.M1