Package com.broadleafcommerce.auth.token.service

Class DefaultRotatingTokenServices

  • All Implemented Interfaces:
    org.springframework.beans.factory.InitializingBean, org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices, org.springframework.security.oauth2.provider.token.ConsumerTokenServices, org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public class DefaultRotatingTokenServices
extends Object
implements org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices, org.springframework.security.oauth2.provider.token.ResourceServerTokenServices, org.springframework.security.oauth2.provider.token.ConsumerTokenServices, org.springframework.beans.factory.InitializingBean
    Based on DefaultTokenServices. Honors refresh token rotation behavior.

    Broadleaf primarily supports the notion of oauth refresh tokens in the context of the auth code flow, and only through the use of rotation. This means that, when enabled, a new refresh token is returned with every acquisition of access token from the auth server. Furthermore, each of these refresh tokens may be used only once, with the exception of the boundary defined in RefreshToken.getRotationExpiration().

    There are several requirements to use refresh token rotation:
    1. The JpaAuthorizedClient.getGrantTypes() list must include refresh_token when that client is targeted in an oauth flow
    2. The property broadleaf.auth.token.support-refresh-token-rotation must be set to true in your application property file
    3. The scopes requested during both auth code and token acquisition API calls must include the OFFLINE_ACCESS scope
    The combinations of these three factors should allow for granular refresh token use cases, even within the context of a single oauth client.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void afterPropertiesSet()
      Initialize these token services.
      org.springframework.security.oauth2.common.OAuth2AccessToken createAccessToken​(org.springframework.security.oauth2.provider.OAuth2Authentication authentication)  
      org.springframework.security.oauth2.common.OAuth2AccessToken getAccessToken​(org.springframework.security.oauth2.provider.OAuth2Authentication authentication)  
      protected int getAccessTokenValiditySeconds​(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
      The access token validity period in seconds
      String getClientId​(String tokenValue)  
      protected int getRefreshTokenValiditySeconds​(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
      The refresh token validity period in seconds
      protected void invalidateLine​(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
      Delete a refresh token and any associated members in the line
      protected boolean isExpired​(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
      Whether or not the refresh token is expired
      protected boolean isSupportRefreshToken​(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
      Is a refresh token supported for this client (or the global setting if clientDetailsService is not set.
      org.springframework.security.oauth2.provider.OAuth2Authentication loadAuthentication​(String accessTokenValue)  
      org.springframework.security.oauth2.common.OAuth2AccessToken readAccessToken​(String accessToken)  
      org.springframework.security.oauth2.common.OAuth2AccessToken refreshAccessToken​(String refreshTokenValue, org.springframework.security.oauth2.provider.TokenRequest tokenRequest)  
      boolean revokeToken​(String tokenValue)
      Revoke a refresh token
      protected void rotate​(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
      Given a refresh token that is being used to request a new access token, perform rotation setup on it.
      void setAccessTokenValiditySeconds​(int accessTokenValiditySeconds)
      The default validity (in seconds) of the access token.
      void setAuthenticationManager​(org.springframework.security.authentication.AuthenticationManager authenticationManager)
      An authentication manager that will be used (if provided) to check the user authentication when a token is refreshed.
      void setClientDetailsService​(org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService)
      The client details service to use for looking up clients (if necessary).
      void setRefreshTokenValiditySeconds​(int refreshTokenValiditySeconds)
      The validity (in seconds) of the refresh token.
      void setTokenEnhancer​(org.springframework.security.oauth2.provider.token.TokenEnhancer accessTokenEnhancer)
      An access token enhancer that will be applied to a new token before it is saved in the token store.
      void setTokenStore​(RotatableTokenStore tokenStore)
      The persistence strategy for token storage.

    • Constructor Detail

      • DefaultRotatingTokenServices

        public DefaultRotatingTokenServices​(TokenProperties properties)

    • Method Detail

      • afterPropertiesSet

        public void afterPropertiesSet()
                        throws Exception
        Initialize these token services.
        Specified by:
        afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
        Throws:
        Exception

      • createAccessToken

        @Transactional
public org.springframework.security.oauth2.common.OAuth2AccessToken createAccessToken​(org.springframework.security.oauth2.provider.OAuth2Authentication authentication)
                                                                               throws org.springframework.security.core.AuthenticationException
        Specified by:
        createAccessToken in interface org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
        Throws:
        org.springframework.security.core.AuthenticationException

      • refreshAccessToken

        @Transactional(noRollbackFor={org.springframework.security.oauth2.common.exceptions.InvalidTokenException.class,org.springframework.security.oauth2.common.exceptions.InvalidGrantException.class})
public org.springframework.security.oauth2.common.OAuth2AccessToken refreshAccessToken​(String refreshTokenValue,
                                                                                       org.springframework.security.oauth2.provider.TokenRequest tokenRequest)
                                                                                throws org.springframework.security.core.AuthenticationException
        Specified by:
        refreshAccessToken in interface org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
        Throws:
        org.springframework.security.core.AuthenticationException

      • loadAuthentication

        public org.springframework.security.oauth2.provider.OAuth2Authentication loadAuthentication​(String accessTokenValue)
                                                                                     throws org.springframework.security.core.AuthenticationException,
                                                                                            org.springframework.security.oauth2.common.exceptions.InvalidTokenException
        Specified by:
        loadAuthentication in interface org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
        Throws:
        org.springframework.security.core.AuthenticationException
        org.springframework.security.oauth2.common.exceptions.InvalidTokenException

      • getClientId

        public String getClientId​(String tokenValue)

      • revokeToken

        public boolean revokeToken​(String tokenValue)
        Revoke a refresh token
        Specified by:
        revokeToken in interface org.springframework.security.oauth2.provider.token.ConsumerTokenServices
        Parameters:
        tokenValue - Refresh token
        Returns:
        true if token is invalidated, false if token is not found

      • getAccessToken

        public org.springframework.security.oauth2.common.OAuth2AccessToken getAccessToken​(org.springframework.security.oauth2.provider.OAuth2Authentication authentication)
        Specified by:
        getAccessToken in interface org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices

      • readAccessToken

        public org.springframework.security.oauth2.common.OAuth2AccessToken readAccessToken​(String accessToken)
        Specified by:
        readAccessToken in interface org.springframework.security.oauth2.provider.token.ResourceServerTokenServices

      • setTokenEnhancer

        public void setTokenEnhancer​(org.springframework.security.oauth2.provider.token.TokenEnhancer accessTokenEnhancer)
        An access token enhancer that will be applied to a new token before it is saved in the token store.
        Parameters:
        accessTokenEnhancer - the access token enhancer to set

      • setRefreshTokenValiditySeconds

        public void setRefreshTokenValiditySeconds​(int refreshTokenValiditySeconds)
        The validity (in seconds) of the refresh token. If less than or equal to zero then the tokens will be non-expiring.
        Parameters:
        refreshTokenValiditySeconds - The validity (in seconds) of the refresh token.

      • setAccessTokenValiditySeconds

        public void setAccessTokenValiditySeconds​(int accessTokenValiditySeconds)
        The default validity (in seconds) of the access token. Zero or negative for non-expiring tokens. If a client details service is set the validity period will be read from the client, defaulting to this value if not defined by the client.
        Parameters:
        accessTokenValiditySeconds - The validity (in seconds) of the access token.

      • setTokenStore

        public void setTokenStore​(RotatableTokenStore tokenStore)
        The persistence strategy for token storage.
        Parameters:
        tokenStore - the store for access and refresh tokens.

      • setAuthenticationManager

        public void setAuthenticationManager​(org.springframework.security.authentication.AuthenticationManager authenticationManager)
        An authentication manager that will be used (if provided) to check the user authentication when a token is refreshed.
        Parameters:
        authenticationManager - the authenticationManager to set

      • setClientDetailsService

        public void setClientDetailsService​(org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService)
        The client details service to use for looking up clients (if necessary). Optional if the access token expiry is set globally via setAccessTokenValiditySeconds(int).
        Parameters:
        clientDetailsService - the client details service

      • getAccessTokenValiditySeconds

        protected int getAccessTokenValiditySeconds​(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
        The access token validity period in seconds
        Parameters:
        clientAuth - the current authorization request
        Returns:
        the access token validity period in seconds

      • getRefreshTokenValiditySeconds

        protected int getRefreshTokenValiditySeconds​(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
        The refresh token validity period in seconds
        Parameters:
        clientAuth - the current authorization request
        Returns:
        the refresh token validity period in seconds

      • isSupportRefreshToken

        protected boolean isSupportRefreshToken​(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
        Is a refresh token supported for this client (or the global setting if clientDetailsService is not set.
        Parameters:
        clientAuth - the current authorization request
        Returns:
        boolean to indicate if refresh token is supported

      • rotate

        protected void rotate​(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
        Given a refresh token that is being used to request a new access token, perform rotation setup on it. This includes marking the token as rotated and setting the rotation expiration threshold in the datastore.
        Parameters:
        refreshToken - A Spring-specific representation of the refresh token

      • invalidateLine

        protected void invalidateLine​(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
        Delete a refresh token and any associated members in the line
        Parameters:
        refreshToken - A Spring-specific representation of the refresh token

      • isExpired

        protected boolean isExpired​(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
        Whether or not the refresh token is expired
        Parameters:
        refreshToken - A Spring-specific representation of the refresh token
        Returns:
        Whether or not the refresh token is expired