Polish gh-2131

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java

@@ -215,10 +215,12 @@ public final class OAuth2RefreshTokenAuthenticationProvider implements Authentic
 		// ----- Refresh token -----
 		OAuth2RefreshToken currentRefreshToken = refreshToken.getToken();
 		if (!registeredClient.getTokenSettings().isReuseRefreshTokens()) {
+			// @formatter:off
 			tokenContext = tokenContextBuilder
 					.tokenType(OAuth2TokenType.REFRESH_TOKEN)
-					.authorization(authorizationBuilder.build()) // allows refresh token to retrieve access token
+					.authorization(authorizationBuilder.build())	// Refresh token generator/customizer may need access to the access token
 					.build();
+			// @formatter:on
 			OAuth2Token generatedRefreshToken = this.tokenGenerator.generate(tokenContext);
 			if (!(generatedRefreshToken instanceof OAuth2RefreshToken)) {
 				OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.SERVER_ERROR,
@@ -256,8 +258,8 @@ public final class OAuth2RefreshTokenAuthenticationProvider implements Authentic
 
 			idToken = new OidcIdToken(generatedIdToken.getTokenValue(), generatedIdToken.getIssuedAt(),
 					generatedIdToken.getExpiresAt(), ((Jwt) generatedIdToken).getClaims());
-			authorizationBuilder.token(idToken, metadata ->
-					metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, idToken.getClaims()));
+			authorizationBuilder.token(idToken,
+					(metadata) -> metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, idToken.getClaims()));
 		}
 		else {
 			idToken = null;

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java

@@ -329,14 +329,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
 		OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = (OAuth2AccessTokenAuthenticationToken) this.authenticationProvider
 			.authenticate(authentication);
 
-		ArgumentCaptor<OAuth2TokenContext> oAuth2TokenContextCaptor = ArgumentCaptor.forClass(OAuth2TokenContext.class);
-		verify(this.tokenGenerator, times(2)).generate(oAuth2TokenContextCaptor.capture());
-		// tokenGenerator is first invoked for generating a new access token and then for generating the refresh token for this access token
-		List<OAuth2TokenContext> tokenContexts = oAuth2TokenContextCaptor.getAllValues();
-		assertThat(tokenContexts).hasSize(2);
-		assertThat(tokenContexts.get(0).getAuthorization().getAccessToken().getToken().getTokenValue()).isEqualTo("access-token");
-		assertThat(tokenContexts.get(1).getAuthorization().getAccessToken().getToken().getTokenValue()).isEqualTo("refreshed-access-token");
-
 		ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
 		verify(this.authorizationService).save(authorizationCaptor.capture());
 		OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue();
@@ -344,6 +336,17 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
 		assertThat(accessTokenAuthentication.getRefreshToken())
 			.isEqualTo(updatedAuthorization.getRefreshToken().getToken());
 		assertThat(updatedAuthorization.getRefreshToken()).isNotEqualTo(authorization.getRefreshToken());
+
+		ArgumentCaptor<OAuth2TokenContext> tokenContextCaptor = ArgumentCaptor.forClass(OAuth2TokenContext.class);
+		verify(this.tokenGenerator, times(2)).generate(tokenContextCaptor.capture());
+		// tokenGenerator is first invoked for generating a new access token and then for
+		// generating the refresh token
+		List<OAuth2TokenContext> tokenContexts = tokenContextCaptor.getAllValues();
+		assertThat(tokenContexts).hasSize(2);
+		assertThat(tokenContexts.get(0).getAuthorization().getAccessToken().getToken().getTokenValue())
+			.isEqualTo("access-token");
+		assertThat(tokenContexts.get(1).getAuthorization().getAccessToken().getToken().getTokenValue())
+			.isEqualTo("refreshed-access-token");
 	}
 
 	@Test