com.broadleafcommerce.auth.token.service

Interface RotatableTokenStore

All Superinterfaces:

org.springframework.security.oauth2.provider.token.TokenStore

All Known Implementing Classes:

DefaultRotatingTokenStore

public interface RotatableTokenStore
extends org.springframework.security.oauth2.provider.token.TokenStore

A specialized TokenStore concept used to support the refresh token rotation concept in Broadleaf.

Method Summary

Modifier and Type	Method and Description
String	cleanupBatch(String startingId, int partition) Given a refresh token primary key from which to start (i.e.
List<RefreshToken>	findByAncestor(String tokenValue) Find all refresh token instances derived from the original, root refresh token.
int	getPartition() Randomly retrieve a partition number with the bounds of the partitions currently available to the system.
int	getPartition(String tokenValue) Given an encoded refresh token string, find the partition on which that token is stored.
List<Integer>	getPartitions() List all the partitions known to the system
String	getRootId(String tokenValue) Given an encoded refresh token string, find the root token JTI for the inheritance line.
void	isolatedRemoveRefreshTokenById(int partition, String tokenId) Remove a specific refresh token using its primary key and partition
RefreshToken	readRefreshTokenEntity(String tokenValue) Given an encoded refresh token string, return the RefreshToken instance matching from the datastore.
void	rotate(String tokenValue) Given an encoded refresh token string, find that refresh token in the datastore and perform rotation setup on it.
default void	storeRefreshToken(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken, org.springframework.security.oauth2.provider.OAuth2Authentication authentication)
void	storeRefreshToken(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken, org.springframework.security.oauth2.provider.OAuth2Authentication authentication, String ancestorRefreshToken) Store a refresh token in the datastore, and include the JTI value of the original, root refresh token in the line.

Methods inherited from interface org.springframework.security.oauth2.provider.token.TokenStore

findTokensByClientId, findTokensByClientIdAndUserName, getAccessToken, readAccessToken, readAuthentication, readAuthentication, readAuthenticationForRefreshToken, readRefreshToken, removeAccessToken, removeAccessTokenUsingRefreshToken, removeRefreshToken, storeAccessToken

Method Detail

rotate

void rotate(@NonNull
            String tokenValue)

Given an encoded refresh token string, find that refresh token in the datastore and perform rotation setup on it. Specifically, mark the token as rotation and set its rotation expiration.

Parameters:

tokenValue - The refresh token to rotate

Throws:

org.springframework.security.oauth2.common.exceptions.InvalidTokenException - Thrown if the rotation fails

findByAncestor

@NonNull
List<RefreshToken> findByAncestor(@NonNull
                                           String tokenValue)

Find all refresh token instances derived from the original, root refresh token.

Parameters:

tokenValue - The original, root refresh token

Returns:

All refresh token instances derived from the original, root refresh token

See Also:

RefreshTokenRepository.findByAncestor(String)

isolatedRemoveRefreshTokenById

void isolatedRemoveRefreshTokenById(int partition,
                                    @NonNull
                                    String tokenId)

Remove a specific refresh token using its primary key and partition

Parameters:

partition - The partition shard in which the refresh token entity exists

tokenId - The primary key value of the refresh token

storeRefreshToken

void storeRefreshToken(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken,
                       org.springframework.security.oauth2.provider.OAuth2Authentication authentication,
                       String ancestorRefreshToken)

Store a refresh token in the datastore, and include the JTI value of the original, root refresh token in the line.

Parameters:

refreshToken - The refresh token to store

authentication - The current authentication associated with the token

ancestorRefreshToken - The original, root refresh token JTI

storeRefreshToken

default void storeRefreshToken(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken,
                               org.springframework.security.oauth2.provider.OAuth2Authentication authentication)

Specified by:

storeRefreshToken in interface org.springframework.security.oauth2.provider.token.TokenStore

getPartition

int getPartition()

Randomly retrieve a partition number with the bounds of the partitions currently available to the system. This is the primary load balancing measure for distributing members across the available shards.

Returns:

Random partition number with the bounds of the partitions currently available

getPartition

int getPartition(@NonNull
                 String tokenValue)

Given an encoded refresh token string, find the partition on which that token is stored.

Parameters:

tokenValue - The encoded refresh token string

Returns:

The partition on which that token is stored

getPartitions

@NonNull
List<Integer> getPartitions()

List all the partitions known to the system

Returns:

All the partitions known to the system

readRefreshTokenEntity

@Nullable
RefreshToken readRefreshTokenEntity(@NonNull
                                              String tokenValue)

Given an encoded refresh token string, return the RefreshToken instance matching from the datastore.

Parameters:

tokenValue - The encoded refresh token string

Returns:

The RefreshToken instance matching from the datastore

cleanupBatch

@Nullable
String cleanupBatch(@Nullable
                              String startingId,
                              int partition)

Given a refresh token primary key from which to start (i.e. RefreshToken.getId(), delete all refresh tokens that have expired (either token expiration or rotation expiration) in a batch. The size of the batch is governed by TokenProperties.getCleanupBatchSize(). The intent is to call this method in succession until the response is null, indicating the whole table has been traversed.

Parameters:

startingId - The refresh token primary key from which to begin expiration detection and cleanup. This value should be null when run the first time.

partition - The partition on which to perform the check (the startingId should be available in this partition)

Returns:

The last member of the batch. Use this value in the next call to cleanupBatch. This can be null if no records are available, only one record is available, or if the end of the batch is reached.

getRootId

@NonNull
String getRootId(@NonNull
                          String tokenValue)

Given an encoded refresh token string, find the root token JTI for the inheritance line.

Parameters:

tokenValue - The encoded refresh token string

Returns:

The the root token JTI for the inheritance line. If this token is itself the root, then the response will be this token's own JTI.