Package com.broadleafcommerce.auth.token

Class TokenProperties

java.lang.Object
com.broadleafcommerce.auth.token.TokenProperties
@ConfigurationProperties(prefix="broadleaf.auth.token") public class TokenProperties extends Object
Configuration properties for refresh token rotation handling

  • Field Details

    • REFRESH_TOKEN_TIMEOUT_SECONDS_DEFAULT

      public static final int REFRESH_TOKEN_TIMEOUT_SECONDS_DEFAULT
      See Also:

    • REFRESH_TOKEN_ROTATION_INTERVAL_SECONDS_DEFAULT

      public static final int REFRESH_TOKEN_ROTATION_INTERVAL_SECONDS_DEFAULT
      See Also:

    • TOKEN_TIMEOUT_SECONDS_DEFAULT

      public static final int TOKEN_TIMEOUT_SECONDS_DEFAULT
      See Also:

    • REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MAX_DEFAULT

      public static final int REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MAX_DEFAULT
      See Also:

    • REFRESH_TOKEN_CLEANUP_BATCH_SIZE_DEFAULT

      public static final int REFRESH_TOKEN_CLEANUP_BATCH_SIZE_DEFAULT
      See Also:

    • REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MIN_DEFAULT

      public static final int REFRESH_TOKEN_CLEANUP_INTERVAL_SECONDS_MIN_DEFAULT
      See Also:

  • Constructor Details

    • TokenProperties

      public TokenProperties()

  • Method Details

    • getRefreshTokenRotationInterval

      public Duration getRefreshTokenRotationInterval()
      Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated. This allows for a small window where inadvertent issues (like poor mobile network quality) can be overcome with a refresh retry without failing. Once the interval is exceeded after an initial rotation, any attempt to refresh for a new auth token will fail. This value should be kept as small as possible to avoid opening a larger window for replay attack.

      The default interval is 60 seconds.

    • isSupportRefreshTokenRotation

      public boolean isSupportRefreshTokenRotation()
      Whether or not refresh token rotation is supported. If true, a refresh token is included with the access token when an access token is requested (note, the AuthorizedClient#getGrantTypes() must also include "refresh_token" for a refresh token to actually be emitted with the access token as a pair). When the access token expires, the refresh token may be used to request a new access token. The new access token will include a new refresh token (i.e. refresh token rotation) that may be used in the future. The rotated access token should not be used again and will quickly become invalid after TokenProperties#getRefreshTokenRotationInterval().

      The default value is false.

    • isSupportRefreshTokenCleanup

      public boolean isSupportRefreshTokenCleanup()
      Whether or not the system should cleanup expired refresh tokens from the system. This is highly recommended. This property is only effective when TokenProperties#getSupportRefreshTokenRotation() is true.

      The default value is true.

    • getNamespace

      public String getNamespace()
      Namespace to use when getting the view for the camel cluster. Default is "lock".

    • isDeveloperMode

      @Deprecated public boolean isDeveloperMode()
      Deprecated.
      Appropriate state for development is now handled through the broadleaf.messaging.cluster-service-implementation-type property.
      Indicates the cluster service system is intended in this configuration to be used by developers, rather than a real deployment. This setting causes an additional random piece of information to be appended to TokenProperties#getNamespace() so that instances of the same service being run by multiple devs on the same subnet are not interpreted as being part of the same cluster. Otherwise, behavior could be unpredictable between machines and services might not start up locally for one or more devs. The default is true.

    • getMaxTokenCleanupInterval

      public Duration getMaxTokenCleanupInterval()
      The max amount of pause time between batch expired refresh token cleanup attempts. Default is 10 seconds.

    • getMinTokenCleanupInterval

      public Duration getMinTokenCleanupInterval()
      The min amount of pause time between batch expired refresh token cleanup attempts. Default is 3 seconds. This value always wins, and you can set this value equal to or greater than maxTokenCleanupInterval to achieve a constant, non-randomized value.

    • getCleanupBatchSize

      public int getCleanupBatchSize()
      The quantity of expired refresh tokens to delete at one time. Should be somewhat conservative to avoid overworking the database or causing the transaction log to spiral out of control. Default is 20000.

    • isExplodePermissions

      public boolean isExplodePermissions()
      If set to true, ALL_* permissions will be exploded into their CRUD equivalents in access tokens. For example, ALL_PRODUCT will be exploded into CREATE_PRODUCT, READ_PRODUCT, UPDATE_PRODUCT, and DELETE_PRODUCT. Default value is false.

    • setRefreshTokenRotationInterval

      public void setRefreshTokenRotationInterval(Duration refreshTokenRotationInterval)
      Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated. This allows for a small window where inadvertent issues (like poor mobile network quality) can be overcome with a refresh retry without failing. Once the interval is exceeded after an initial rotation, any attempt to refresh for a new auth token will fail. This value should be kept as small as possible to avoid opening a larger window for replay attack.

      The default interval is 60 seconds.

    • setSupportRefreshTokenRotation

      public void setSupportRefreshTokenRotation(boolean supportRefreshTokenRotation)
      Whether or not refresh token rotation is supported. If true, a refresh token is included with the access token when an access token is requested (note, the AuthorizedClient#getGrantTypes() must also include "refresh_token" for a refresh token to actually be emitted with the access token as a pair). When the access token expires, the refresh token may be used to request a new access token. The new access token will include a new refresh token (i.e. refresh token rotation) that may be used in the future. The rotated access token should not be used again and will quickly become invalid after TokenProperties#getRefreshTokenRotationInterval().

      The default value is false.

    • setSupportRefreshTokenCleanup

      public void setSupportRefreshTokenCleanup(boolean supportRefreshTokenCleanup)
      Whether or not the system should cleanup expired refresh tokens from the system. This is highly recommended. This property is only effective when TokenProperties#getSupportRefreshTokenRotation() is true.

      The default value is true.

    • setNamespace

      public void setNamespace(String namespace)
      Namespace to use when getting the view for the camel cluster. Default is "lock".

    • setDeveloperMode

      @Deprecated public void setDeveloperMode(boolean developerMode)
      Deprecated.
      Appropriate state for development is now handled through the broadleaf.messaging.cluster-service-implementation-type property.
      Indicates the cluster service system is intended in this configuration to be used by developers, rather than a real deployment. This setting causes an additional random piece of information to be appended to TokenProperties#getNamespace() so that instances of the same service being run by multiple devs on the same subnet are not interpreted as being part of the same cluster. Otherwise, behavior could be unpredictable between machines and services might not start up locally for one or more devs. The default is true.

    • setMaxTokenCleanupInterval

      public void setMaxTokenCleanupInterval(Duration maxTokenCleanupInterval)
      The max amount of pause time between batch expired refresh token cleanup attempts. Default is 10 seconds.

    • setMinTokenCleanupInterval

      public void setMinTokenCleanupInterval(Duration minTokenCleanupInterval)
      The min amount of pause time between batch expired refresh token cleanup attempts. Default is 3 seconds. This value always wins, and you can set this value equal to or greater than maxTokenCleanupInterval to achieve a constant, non-randomized value.

    • setCleanupBatchSize

      public void setCleanupBatchSize(int cleanupBatchSize)
      The quantity of expired refresh tokens to delete at one time. Should be somewhat conservative to avoid overworking the database or causing the transaction log to spiral out of control. Default is 20000.

    • setExplodePermissions

      public void setExplodePermissions(boolean explodePermissions)
      If set to true, ALL_* permissions will be exploded into their CRUD equivalents in access tokens. For example, ALL_PRODUCT will be exploded into CREATE_PRODUCT, READ_PRODUCT, UPDATE_PRODUCT, and DELETE_PRODUCT. Default value is false.

    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object

    • canEqual

      protected boolean canEqual(Object other)

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object

    • toString

      public String toString()
      Overrides:
      toString in class Object