Package com.broadleafcommerce.auth.token
Class TokenProperties
java.lang.Object
com.broadleafcommerce.auth.token.TokenProperties
Configuration properties for refresh token rotation handling
-
Field Summary
Modifier and TypeFieldDescriptionstatic final int
static final int
static final int
static final int
static final int
static final int
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected boolean
boolean
int
The quantity of expired refresh tokens to delete at one time.The max amount of pause time between batch expired refresh token cleanup attempts.The min amount of pause time between batch expired refresh token cleanup attempts.Namespace to use when getting the view for the camel cluster.Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated.int
hashCode()
boolean
Deprecated.boolean
If set to true, ALL_* permissions will be exploded into their CRUD equivalents in access tokens.boolean
Whether or not the system should cleanup expired refresh tokens from the system.boolean
Whether or not refresh token rotation is supported.void
setCleanupBatchSize
(int cleanupBatchSize) The quantity of expired refresh tokens to delete at one time.void
setDeveloperMode
(boolean developerMode) Deprecated.Appropriate state for development is now handled through thebroadleaf.messaging.cluster-service-implementation-type
property.void
setExplodePermissions
(boolean explodePermissions) If set to true, ALL_* permissions will be exploded into their CRUD equivalents in access tokens.void
setMaxTokenCleanupInterval
(Duration maxTokenCleanupInterval) The max amount of pause time between batch expired refresh token cleanup attempts.void
setMinTokenCleanupInterval
(Duration minTokenCleanupInterval) The min amount of pause time between batch expired refresh token cleanup attempts.void
setNamespace
(String namespace) Namespace to use when getting the view for the camel cluster.void
setRefreshTokenRotationInterval
(Duration refreshTokenRotationInterval) Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated.void
setSupportRefreshTokenCleanup
(boolean supportRefreshTokenCleanup) Whether or not the system should cleanup expired refresh tokens from the system.void
setSupportRefreshTokenRotation
(boolean supportRefreshTokenRotation) Whether or not refresh token rotation is supported.toString()
-
Field Details
-
REFRESH_TOKEN_TIMEOUT_SECONDS_DEFAULT
public static final int REFRESH_TOKEN_TIMEOUT_SECONDS_DEFAULT- See Also:
-
REFRESH_TOKEN_ROTATION_INTERVAL_SECONDS_DEFAULT
public static final int REFRESH_TOKEN_ROTATION_INTERVAL_SECONDS_DEFAULT- See Also:
-
TOKEN_TIMEOUT_SECONDS_DEFAULT
public static final int TOKEN_TIMEOUT_SECONDS_DEFAULT- See Also:
-
REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MAX_DEFAULT
public static final int REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MAX_DEFAULT- See Also:
-
REFRESH_TOKEN_CLEANUP_BATCH_SIZE_DEFAULT
public static final int REFRESH_TOKEN_CLEANUP_BATCH_SIZE_DEFAULT- See Also:
-
REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MIN_DEFAULT
public static final int REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MIN_DEFAULT- See Also:
-
-
Constructor Details
-
TokenProperties
public TokenProperties()
-
-
Method Details
-
getRefreshTokenRotationInterval
Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated. This allows for a small window where inadvertent issues (like poor mobile network quality) can be overcome with a refresh retry without failing. Once the interval is exceeded after an initial rotation, any attempt to refresh for a new auth token will fail. This value should be kept as small as possible to avoid opening a larger window for replay attack. -
isSupportRefreshTokenRotation
public boolean isSupportRefreshTokenRotation()Whether or not refresh token rotation is supported. If true, a refresh token is included with the access token when an access token is requested (note, the AuthorizedClient#getGrantTypes() must also include "refresh_token" for a refresh token to actually be emitted with the access token as a pair). When the access token expires, the refresh token may be used to request a new access token. The new access token will include a new refresh token (i.e. refresh token rotation) that may be used in the future. The rotated access token should not be used again and will quickly become invalid after TokenProperties#getRefreshTokenRotationInterval(). -
isSupportRefreshTokenCleanup
public boolean isSupportRefreshTokenCleanup()Whether or not the system should cleanup expired refresh tokens from the system. This is highly recommended. This property is only effective when TokenProperties#getSupportRefreshTokenRotation() is true. -
getNamespace
Namespace to use when getting the view for the camel cluster. Default is "lock". -
isDeveloperMode
Deprecated.Appropriate state for development is now handled through thebroadleaf.messaging.cluster-service-implementation-type
property.Indicates the cluster service system is intended in this configuration to be used by developers, rather than a real deployment. This setting causes an additional random piece of information to be appended to TokenProperties#getNamespace() so that instances of the same service being run by multiple devs on the same subnet are not interpreted as being part of the same cluster. Otherwise, behavior could be unpredictable between machines and services might not start up locally for one or more devs. The default is true. -
getMaxTokenCleanupInterval
The max amount of pause time between batch expired refresh token cleanup attempts. Default is 10 seconds. -
getMinTokenCleanupInterval
The min amount of pause time between batch expired refresh token cleanup attempts. Default is 3 seconds. This value always wins, and you can set this value equal to or greater thanmaxTokenCleanupInterval
to achieve a constant, non-randomized value. -
getCleanupBatchSize
public int getCleanupBatchSize()The quantity of expired refresh tokens to delete at one time. Should be somewhat conservative to avoid overworking the database or causing the transaction log to spiral out of control. Default is 20000. -
isExplodePermissions
public boolean isExplodePermissions()If set to true, ALL_* permissions will be exploded into their CRUD equivalents in access tokens. For example, ALL_PRODUCT will be exploded into CREATE_PRODUCT, READ_PRODUCT, UPDATE_PRODUCT, and DELETE_PRODUCT. Default value is false. -
setRefreshTokenRotationInterval
Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated. This allows for a small window where inadvertent issues (like poor mobile network quality) can be overcome with a refresh retry without failing. Once the interval is exceeded after an initial rotation, any attempt to refresh for a new auth token will fail. This value should be kept as small as possible to avoid opening a larger window for replay attack. -
setSupportRefreshTokenRotation
public void setSupportRefreshTokenRotation(boolean supportRefreshTokenRotation) Whether or not refresh token rotation is supported. If true, a refresh token is included with the access token when an access token is requested (note, the AuthorizedClient#getGrantTypes() must also include "refresh_token" for a refresh token to actually be emitted with the access token as a pair). When the access token expires, the refresh token may be used to request a new access token. The new access token will include a new refresh token (i.e. refresh token rotation) that may be used in the future. The rotated access token should not be used again and will quickly become invalid after TokenProperties#getRefreshTokenRotationInterval(). -
setSupportRefreshTokenCleanup
public void setSupportRefreshTokenCleanup(boolean supportRefreshTokenCleanup) Whether or not the system should cleanup expired refresh tokens from the system. This is highly recommended. This property is only effective when TokenProperties#getSupportRefreshTokenRotation() is true. -
setNamespace
Namespace to use when getting the view for the camel cluster. Default is "lock". -
setDeveloperMode
Deprecated.Appropriate state for development is now handled through thebroadleaf.messaging.cluster-service-implementation-type
property.Indicates the cluster service system is intended in this configuration to be used by developers, rather than a real deployment. This setting causes an additional random piece of information to be appended to TokenProperties#getNamespace() so that instances of the same service being run by multiple devs on the same subnet are not interpreted as being part of the same cluster. Otherwise, behavior could be unpredictable between machines and services might not start up locally for one or more devs. The default is true. -
setMaxTokenCleanupInterval
The max amount of pause time between batch expired refresh token cleanup attempts. Default is 10 seconds. -
setMinTokenCleanupInterval
The min amount of pause time between batch expired refresh token cleanup attempts. Default is 3 seconds. This value always wins, and you can set this value equal to or greater thanmaxTokenCleanupInterval
to achieve a constant, non-randomized value. -
setCleanupBatchSize
public void setCleanupBatchSize(int cleanupBatchSize) The quantity of expired refresh tokens to delete at one time. Should be somewhat conservative to avoid overworking the database or causing the transaction log to spiral out of control. Default is 20000. -
setExplodePermissions
public void setExplodePermissions(boolean explodePermissions) If set to true, ALL_* permissions will be exploded into their CRUD equivalents in access tokens. For example, ALL_PRODUCT will be exploded into CREATE_PRODUCT, READ_PRODUCT, UPDATE_PRODUCT, and DELETE_PRODUCT. Default value is false. -
equals
-
canEqual
-
hashCode
public int hashCode() -
toString
-
broadleaf.messaging.cluster-service-implementation-type
property.