While implementing the UMA resource server filter we discovered the requirement to interact as an OAuth2 client with external OAuth2 resource servers. Typically, client code obtains an OAuth2 access token and a refresh token and then interacts with the resource server. The resource server may reject the request because the access token has expired, in which case the client should refresh the token and retry the operation.
Here is an example of how this may look in client code:
We should be able to extract such an API from the existing OpenIG OAuth2ClientFilter which already has similar functionality. The resulting API could handle several use cases:
- the access token and refresh token have already been obtained by some external processing, e.g. in UMA the PAT and its associated refresh token may be supplied when the resource owner is first provisioned in the RS
- the OAuth2 client is responsible for obtaining the access token and refresh token and interacting with the end-user and AS in order to obtain authorization. This is currently the goal of the OAuth2ClientFilter, but we may want to extract it out as a separate API for use in CHF.