fix: Allow OidcAuthorizedClientRefreshedEventListener refreshing if authentication subclasses OAuth2AuthenticationToken

Signed-off-by: Michel Palourdio <mpalourdio@gmail.com>

fix: Allow OidcAuthorizedClientRefreshedEventListener refreshing if authentication subclasses OAuth2AuthenticationToken

Author: mpalourdio

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java

@@ -106,11 +106,10 @@ public void onApplicationEvent(OAuth2AuthorizedClientRefreshedEvent event) {
 
 		// The current authentication must be an OAuth2AuthenticationToken
 		Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
-		if (!(authentication instanceof OAuth2AuthenticationToken authenticationToken)
-				|| authenticationToken.getClass() != OAuth2AuthenticationToken.class) {
+		if (!(authentication instanceof OAuth2AuthenticationToken authenticationToken)) {
 			// This event listener only handles the default authentication result. If the
-			// application customizes the authentication result, then a custom event
-			// handler should be provided.
+			// application customizes the authentication result by not subclassing
+			// OAuth2AuthenticationToken, then a custom event handler should be provided.
 			return;
 		}
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListenerTests.java

@@ -239,19 +239,20 @@ public void onApplicationEventWhenAuthenticationIsNotOAuth2ThenOidcUserRefreshed
 	}
 
 	@Test
-	public void onApplicationEventWhenAuthenticationIsCustomThenOidcUserRefreshedEventNotPublished() {
+	public void onApplicationEventWhenAuthenticationIsSubclassedThenOidcUserRefreshedEventPublished() {
 		OAuth2AuthenticationToken authentication = new CustomOAuth2AuthenticationToken(this.oidcUser,
 				this.oidcUser.getAuthorities(), this.clientRegistration.getRegistrationId());
 		SecurityContextImpl securityContext = new SecurityContextImpl(authentication);
 		given(this.securityContextHolderStrategy.getContext()).willReturn(securityContext);
+		given(this.jwtDecoder.decode(anyString())).willReturn(this.jwt);
+		given(this.userService.loadUser(any(OidcUserRequest.class))).willReturn(this.oidcUser);
 
 		OAuth2AuthorizedClientRefreshedEvent authorizedClientRefreshedEvent = new OAuth2AuthorizedClientRefreshedEvent(
 				this.accessTokenResponse, this.authorizedClient);
 		this.eventListener.onApplicationEvent(authorizedClientRefreshedEvent);
 
-		verify(this.securityContextHolderStrategy).getContext();
-		verifyNoMoreInteractions(this.securityContextHolderStrategy);
-		verifyNoInteractions(this.jwtDecoder, this.userService, this.applicationEventPublisher);
+		verify(this.applicationEventPublisher).publishEvent(any(OidcUserRefreshedEvent.class));
+		verifyNoMoreInteractions(this.applicationEventPublisher);
 	}
 
 	@Test