expand refresh token validity resolver#3942
Merged
duanemay merged 2 commits intoJun 12, 2026
Merged
Conversation
fhanik
force-pushed
the
pr/expand-refresh-token-validity-resolver
branch
from
03d5c7a to
43bdc35
Compare
cf-foundation-community-automation
Bot
moved this to Inbox
in Foundational Infrastructure Working Group
strehle
approved these changes
Jun 11, 2026
github-project-automation
Bot
moved this from Inbox
to Pending Merge | Prioritized
in Foundational Infrastructure Working Group
Contributor
There was a problem hiding this comment.
Pull request overview
Enhances refresh token TTL determination by expanding the TokenValidityResolver extension point so it can receive request context (RefreshTokenRequestData) when resolving refresh token expiration, and adds a MockMvc-based example demonstrating how a proprietary module could clamp refresh token validity based on assertion/session context.
Changes:
- Add
TokenValidityResolver.resolve(clientId, RefreshTokenRequestData)overload (default delegates to existingresolve(clientId)). - Pass
RefreshTokenRequestDatainto the refresh token validity resolver fromRefreshTokenCreator. - Allow overriding the default
refreshTokenValidityResolverbean via@ConditionalOnMissingBean, and add/update tests (unit + MockMvc example).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JitRefreshTokenExpirationMockMvcTests.java | Adds an integration-style example test showing custom refresh-token expiry clamping using request context. |
| server/src/test/java/org/cloudfoundry/identity/uaa/oauth/refresh/RefreshTokenCreatorTest.java | Updates mocking to match the new resolver method signature used by RefreshTokenCreator. |
| server/src/main/java/org/cloudfoundry/identity/uaa/oauth/TokenValidityResolver.java | Adds the new overload accepting RefreshTokenRequestData as an extension point. |
| server/src/main/java/org/cloudfoundry/identity/uaa/oauth/refresh/RefreshTokenCreator.java | Switches refresh token expiration resolution to call the new overload with request context. |
| server/src/main/java/org/cloudfoundry/identity/uaa/oauth/beans/OauthEndpointBeanConfiguration.java | Makes the default refreshTokenValidityResolver bean conditional so custom implementations can replace it cleanly. |
Comment on lines
+47
to
+51
| * <li>A {@link UaaTokenEnhancer} that deposits a {@code exampleRefreshTokenExpiration} claim | ||
| * (read in production from {@code UaaAuthentication#getIdpIdToken()}) into the | ||
| * token's external attributes map.</li> | ||
| * <li>A {@link TokenValidityResolver} subclass that reads that claim and clamps the | ||
| * refresh token's TTL to {@code min(requestedExpiration, defaultExpiration)}.</li> |
Comment on lines
+126
to
+134
| Object claim = requestData.externalAttributes.get("exampleRefreshTokenExpiration"); | ||
| if (claim == null) { | ||
| return defaultExpiration; | ||
| } | ||
| Instant requested = Instant.parse(claim.toString()); | ||
| return requested.isBefore(defaultExpiration.toInstant()) | ||
| ? Date.from(requested) | ||
| : defaultExpiration; | ||
| } |
Comment on lines
+169
to
+171
| long expectedDefault = Instant.now().plusSeconds(2592000).getEpochSecond(); | ||
| long expClaim = getRefreshTokenExpClaim(refreshToken); | ||
| assertThat(expClaim).isCloseTo(expectedDefault, within(10L)); |
Comment on lines
+184
to
+186
| long expectedDefault = Instant.now().plusSeconds(2592000).getEpochSecond(); | ||
| long expClaim = getRefreshTokenExpClaim(refreshToken); | ||
| assertThat(expClaim).isCloseTo(expectedDefault, within(10L)); |
duanemay
approved these changes
Jun 12, 2026
github-project-automation
Bot
moved this from Pending Merge | Prioritized
to Done
in Foundational Infrastructure Working Group
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enhance the
TokenValidityResolverbean to have access to more context information when determining validity time for a token.Added example to showcase how it can be used.