Skip to content

Prevent ID token refresh in device code flow #2177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: 1.4.x
Choose a base branch
from
Open

Prevent ID token refresh in device code flow #2177

wants to merge 3 commits into from

Conversation

fine-pine
Copy link

  • Disallow usage of the openid scope in device authorization requests
  • Allow ID token refresh when an ID token already exists

Closes gh-2037

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 26, 2025
@fine-pine fine-pine force-pushed the gh-2037 branch 2 times, most recently from f3eec52 to 7430616 Compare August 26, 2025 09:11
@fine-pine fine-pine marked this pull request as ready for review August 26, 2025 09:43
@injae-kim injae-kim mentioned this pull request Aug 26, 2025
Open
@jgrandja jgrandja added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 19, 2025
@jgrandja jgrandja self-assigned this Sep 19, 2025
jgrandja
jgrandja requested changes Sep 19, 2025
View reviewed changes
Copy link
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix @fine-pine. Please see review comments.

Also, there are a couple of failing tests so please run the build and ensure it passes before submitting your changes.

Lastly, please rebase the fix on 1.4.x. Thanks.

fine-pine and others added 3 commits September 20, 2025 15:47
@fine-pine
Prevent ID token refresh in device code flow
9ddb20a 
- Disallow usage of the `openid` scope in device authorization requests
- Allow ID token refresh when an ID token already exists

Closes spring-projectsgh-2037

Signed-off-by: fine-pine <[email protected]>
@fine-pine @injae-kim
Resolve lint review
4ea9a73 
Co-authored-by: injae kim <[email protected]>
Signed-off-by: Lee Song Mok <[email protected]>
@fine-pine
Resolve reviews
7d06aaa 
Signed-off-by: fine-pine <[email protected]>
@fine-pine fine-pine changed the base branch from main to 1.4.x September 20, 2025 06:50
@fine-pine fine-pine requested a review from jgrandja September 20, 2025 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgrandja jgrandja Awaiting requested review from jgrandja

1 more reviewer

@injae-kim injae-kim injae-kim left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@jgrandja jgrandja

Labels
type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

500 Error on Refresh Token Request in Device Code Flow When Using openid Scope
4 participants
@fine-pine @jgrandja @injae-kim @spring-projects-issues