Package com.broadleafcommerce.auth.token

Class TokenProperties

  • @ConfigurationProperties(prefix="broadleaf.auth.token")
public class TokenProperties
extends Object
    Configuration properties for refresh token rotation handling

    • Field Detail

      • REFRESH_TOKEN_TIMEOUT_SECONDS_DEFAULT

        public static final int REFRESH_TOKEN_TIMEOUT_SECONDS_DEFAULT
        See Also:
        Constant Field Values

      • REFRESH_TOKEN_ROTATION_INTERVAL_SECONDS_DEFAULT

        public static final int REFRESH_TOKEN_ROTATION_INTERVAL_SECONDS_DEFAULT
        See Also:
        Constant Field Values

      • TOKEN_TIMEOUT_SECONDS_DEFAULT

        public static final int TOKEN_TIMEOUT_SECONDS_DEFAULT
        See Also:
        Constant Field Values

      • REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MAX_DEFAULT

        public static final int REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MAX_DEFAULT
        See Also:
        Constant Field Values

      • REFRESH_TOKEN_CLEANUP_BATCH_SIZE_DEFAULT

        public static final int REFRESH_TOKEN_CLEANUP_BATCH_SIZE_DEFAULT
        See Also:
        Constant Field Values

      • REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MIN_DEFAULT

        public static final int REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MIN_DEFAULT
        See Also:
        Constant Field Values

    • Constructor Detail

      • TokenProperties

        public TokenProperties()

    • Method Detail

      • getRefreshTokenRotationInterval

        public Duration getRefreshTokenRotationInterval()
        Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated. This allows for a small window where inadvertent issues (like poor mobile network quality) can be overcome with a refresh retry without failing. Once the interval is exceeded after an initial rotation, any attempt to refresh for a new auth token will fail. This value should be kept as small as possible to avoid opening a larger window for replay attack.

        The default interval is 60 seconds.

      • isSupportRefreshTokenRotation

        public boolean isSupportRefreshTokenRotation()
        Whether or not refresh token rotation is supported. If true, a refresh token is included with the access token when an access token is requested (note, the AuthorizedClient#getGrantTypes() must also include "refresh_token" for a refresh token to actually be emitted with the access token as a pair). When the access token expires, the refresh token may be used to request a new access token. The new access token will include a new refresh token (i.e. refresh token rotation) that may be used in the future. The rotated access token should not be used again and will quickly become invalid after TokenProperties#getRefreshTokenRotationInterval().

        The default value is false.

      • isSupportRefreshTokenCleanup

        public boolean isSupportRefreshTokenCleanup()
        Whether or not the system should cleanup expired refresh tokens from the system. This is highly recommended. This property is only effective when TokenProperties#getSupportRefreshTokenRotation() is true.

        The default value is true.

      • getNamespace

        public String getNamespace()
        Namespace to use when getting the view for the camel cluster. Default is "lock".

      • isDeveloperMode

        @Deprecated
public boolean isDeveloperMode()
        Deprecated.
        Appropriate state for development is now handled through the broadleaf.messaging.cluster-service-implementation-type property.
        Indicates the cluster service system is intended in this configuration to be used by developers, rather than a real deployment. This setting causes an additional random piece of information to be appended to TokenProperties#getNamespace() so that instances of the same service being run by multiple devs on the same subnet are not interpreted as being part of the same cluster. Otherwise, behavior could be unpredictable between machines and services might not start up locally for one or more devs. The default is true.

      • getMaxTokenCleanupInterval

        public Duration getMaxTokenCleanupInterval()
        The max amount of pause time between batch expired refresh token cleanup attempts. Default is 10 seconds.

      • getMinTokenCleanupInterval

        public Duration getMinTokenCleanupInterval()
        The min amount of pause time between batch expired refresh token cleanup attempts. Default is 3 seconds. This value always wins, and you can set this value equal to or greater than maxTokenCleanupInterval to achieve a constant, non-randomized value.

      • getCleanupBatchSize

        public int getCleanupBatchSize()
        The quantity of expired refresh tokens to delete at one time. Should be somewhat conservative to avoid overworking the database or causing the transaction log to spiral out of control. Default is 20000.

      • setRefreshTokenRotationInterval

        public void setRefreshTokenRotationInterval​(Duration refreshTokenRotationInterval)
        Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated. This allows for a small window where inadvertent issues (like poor mobile network quality) can be overcome with a refresh retry without failing. Once the interval is exceeded after an initial rotation, any attempt to refresh for a new auth token will fail. This value should be kept as small as possible to avoid opening a larger window for replay attack.

        The default interval is 60 seconds.

      • setSupportRefreshTokenRotation

        public void setSupportRefreshTokenRotation​(boolean supportRefreshTokenRotation)
        Whether or not refresh token rotation is supported. If true, a refresh token is included with the access token when an access token is requested (note, the AuthorizedClient#getGrantTypes() must also include "refresh_token" for a refresh token to actually be emitted with the access token as a pair). When the access token expires, the refresh token may be used to request a new access token. The new access token will include a new refresh token (i.e. refresh token rotation) that may be used in the future. The rotated access token should not be used again and will quickly become invalid after TokenProperties#getRefreshTokenRotationInterval().

        The default value is false.

      • setSupportRefreshTokenCleanup

        public void setSupportRefreshTokenCleanup​(boolean supportRefreshTokenCleanup)
        Whether or not the system should cleanup expired refresh tokens from the system. This is highly recommended. This property is only effective when TokenProperties#getSupportRefreshTokenRotation() is true.

        The default value is true.

      • setNamespace

        public void setNamespace​(String namespace)
        Namespace to use when getting the view for the camel cluster. Default is "lock".

      • setDeveloperMode

        @Deprecated
public void setDeveloperMode​(boolean developerMode)
        Deprecated.
        Appropriate state for development is now handled through the broadleaf.messaging.cluster-service-implementation-type property.
        Indicates the cluster service system is intended in this configuration to be used by developers, rather than a real deployment. This setting causes an additional random piece of information to be appended to TokenProperties#getNamespace() so that instances of the same service being run by multiple devs on the same subnet are not interpreted as being part of the same cluster. Otherwise, behavior could be unpredictable between machines and services might not start up locally for one or more devs. The default is true.

      • setMaxTokenCleanupInterval

        public void setMaxTokenCleanupInterval​(Duration maxTokenCleanupInterval)
        The max amount of pause time between batch expired refresh token cleanup attempts. Default is 10 seconds.

      • setMinTokenCleanupInterval

        public void setMinTokenCleanupInterval​(Duration minTokenCleanupInterval)
        The min amount of pause time between batch expired refresh token cleanup attempts. Default is 3 seconds. This value always wins, and you can set this value equal to or greater than maxTokenCleanupInterval to achieve a constant, non-randomized value.

      • setCleanupBatchSize

        public void setCleanupBatchSize​(int cleanupBatchSize)
        The quantity of expired refresh tokens to delete at one time. Should be somewhat conservative to avoid overworking the database or causing the transaction log to spiral out of control. Default is 20000.

      • canEqual

        protected boolean canEqual​(Object other)

      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class Object