Class DefaultRotatingTokenServices
java.lang.Object
com.broadleafcommerce.auth.token.service.DefaultRotatingTokenServices
- All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean
,org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
,org.springframework.security.oauth2.provider.token.ConsumerTokenServices
,org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
public class DefaultRotatingTokenServices
extends Object
implements org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices, org.springframework.security.oauth2.provider.token.ResourceServerTokenServices, org.springframework.security.oauth2.provider.token.ConsumerTokenServices, org.springframework.beans.factory.InitializingBean
Based on
DefaultTokenServices
. Honors refresh token rotation behavior.
Broadleaf primarily supports the notion of oauth refresh tokens in the context of the auth code flow, and only through the use of rotation. This means that, when enabled, a new refresh token is returned with every acquisition of access token from the auth server. Furthermore, each of these refresh tokens may be used only once, with the exception of the boundary defined in
RefreshToken.getRotationExpiration()
.
There are several requirements to use refresh token rotation:
- The
JpaAuthorizedClient.getGrantTypes()
list must includerefresh_token
when that client is targeted in an oauth flow - The property
broadleaf.auth.token.support-refresh-token-rotation
must be set to true in your application property file - The scopes requested during both auth code and token acquisition API calls must include the
OFFLINE_ACCESS
scope
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
Initialize these token services.org.springframework.security.oauth2.common.OAuth2AccessToken
createAccessToken
(org.springframework.security.oauth2.provider.OAuth2Authentication authentication) org.springframework.security.oauth2.common.OAuth2AccessToken
getAccessToken
(org.springframework.security.oauth2.provider.OAuth2Authentication authentication) protected int
getAccessTokenValiditySeconds
(org.springframework.security.oauth2.provider.OAuth2Request clientAuth) The access token validity period in secondsgetClientId
(String tokenValue) protected int
getRefreshTokenValiditySeconds
(org.springframework.security.oauth2.provider.OAuth2Request clientAuth) The refresh token validity period in secondsprotected void
invalidateLine
(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken) Delete a refresh token and any associated members in the lineprotected boolean
isExpired
(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken) Whether or not the refresh token is expiredprotected boolean
isSupportRefreshToken
(org.springframework.security.oauth2.provider.OAuth2Request clientAuth) Is a refresh token supported for this client (or the global setting ifclientDetailsService
is not set.org.springframework.security.oauth2.provider.OAuth2Authentication
loadAuthentication
(String accessTokenValue) org.springframework.security.oauth2.common.OAuth2AccessToken
readAccessToken
(String accessToken) org.springframework.security.oauth2.common.OAuth2AccessToken
refreshAccessToken
(String refreshTokenValue, org.springframework.security.oauth2.provider.TokenRequest tokenRequest) boolean
revokeToken
(String tokenValue) Revoke a refresh tokenprotected void
rotate
(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken) Given a refresh token that is being used to request a new access token, perform rotation setup on it.void
setAccessTokenValiditySeconds
(int accessTokenValiditySeconds) The default validity (in seconds) of the access token.void
setAuthenticationManager
(org.springframework.security.authentication.AuthenticationManager authenticationManager) An authentication manager that will be used (if provided) to check the user authentication when a token is refreshed.void
setClientDetailsService
(org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService) The client details service to use for looking up clients (if necessary).void
setRefreshTokenValiditySeconds
(int refreshTokenValiditySeconds) The validity (in seconds) of the refresh token.void
setTokenEnhancer
(org.springframework.security.oauth2.provider.token.TokenEnhancer accessTokenEnhancer) An access token enhancer that will be applied to a new token before it is saved in the token store.void
setTokenStore
(RotatableTokenStore tokenStore) The persistence strategy for token storage.
-
Constructor Details
-
DefaultRotatingTokenServices
-
-
Method Details
-
afterPropertiesSet
Initialize these token services.- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
- Throws:
Exception
-
createAccessToken
@Transactional public org.springframework.security.oauth2.common.OAuth2AccessToken createAccessToken(org.springframework.security.oauth2.provider.OAuth2Authentication authentication) throws org.springframework.security.core.AuthenticationException - Specified by:
createAccessToken
in interfaceorg.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
- Throws:
org.springframework.security.core.AuthenticationException
-
refreshAccessToken
@Transactional(noRollbackFor={org.springframework.security.oauth2.common.exceptions.InvalidTokenException.class,org.springframework.security.oauth2.common.exceptions.InvalidGrantException.class}) public org.springframework.security.oauth2.common.OAuth2AccessToken refreshAccessToken(String refreshTokenValue, org.springframework.security.oauth2.provider.TokenRequest tokenRequest) throws org.springframework.security.core.AuthenticationException - Specified by:
refreshAccessToken
in interfaceorg.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
- Throws:
org.springframework.security.core.AuthenticationException
-
loadAuthentication
public org.springframework.security.oauth2.provider.OAuth2Authentication loadAuthentication(String accessTokenValue) throws org.springframework.security.core.AuthenticationException, org.springframework.security.oauth2.common.exceptions.InvalidTokenException - Specified by:
loadAuthentication
in interfaceorg.springframework.security.oauth2.provider.token.ResourceServerTokenServices
- Throws:
org.springframework.security.core.AuthenticationException
org.springframework.security.oauth2.common.exceptions.InvalidTokenException
-
getClientId
-
revokeToken
Revoke a refresh token- Specified by:
revokeToken
in interfaceorg.springframework.security.oauth2.provider.token.ConsumerTokenServices
- Parameters:
tokenValue
- Refresh token- Returns:
- true if token is invalidated, false if token is not found
-
getAccessToken
public org.springframework.security.oauth2.common.OAuth2AccessToken getAccessToken(org.springframework.security.oauth2.provider.OAuth2Authentication authentication) - Specified by:
getAccessToken
in interfaceorg.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
-
readAccessToken
public org.springframework.security.oauth2.common.OAuth2AccessToken readAccessToken(String accessToken) - Specified by:
readAccessToken
in interfaceorg.springframework.security.oauth2.provider.token.ResourceServerTokenServices
-
setTokenEnhancer
public void setTokenEnhancer(org.springframework.security.oauth2.provider.token.TokenEnhancer accessTokenEnhancer) An access token enhancer that will be applied to a new token before it is saved in the token store.- Parameters:
accessTokenEnhancer
- the access token enhancer to set
-
setRefreshTokenValiditySeconds
public void setRefreshTokenValiditySeconds(int refreshTokenValiditySeconds) The validity (in seconds) of the refresh token. If less than or equal to zero then the tokens will be non-expiring.- Parameters:
refreshTokenValiditySeconds
- The validity (in seconds) of the refresh token.
-
setAccessTokenValiditySeconds
public void setAccessTokenValiditySeconds(int accessTokenValiditySeconds) The default validity (in seconds) of the access token. Zero or negative for non-expiring tokens. If a client details service is set the validity period will be read from the client, defaulting to this value if not defined by the client.- Parameters:
accessTokenValiditySeconds
- The validity (in seconds) of the access token.
-
setTokenStore
The persistence strategy for token storage.- Parameters:
tokenStore
- the store for access and refresh tokens.
-
setAuthenticationManager
public void setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager) An authentication manager that will be used (if provided) to check the user authentication when a token is refreshed.- Parameters:
authenticationManager
- the authenticationManager to set
-
setClientDetailsService
public void setClientDetailsService(org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService) The client details service to use for looking up clients (if necessary). Optional if the access token expiry is set globally viasetAccessTokenValiditySeconds(int)
.- Parameters:
clientDetailsService
- the client details service
-
getAccessTokenValiditySeconds
protected int getAccessTokenValiditySeconds(org.springframework.security.oauth2.provider.OAuth2Request clientAuth) The access token validity period in seconds- Parameters:
clientAuth
- the current authorization request- Returns:
- the access token validity period in seconds
-
getRefreshTokenValiditySeconds
protected int getRefreshTokenValiditySeconds(org.springframework.security.oauth2.provider.OAuth2Request clientAuth) The refresh token validity period in seconds- Parameters:
clientAuth
- the current authorization request- Returns:
- the refresh token validity period in seconds
-
isSupportRefreshToken
protected boolean isSupportRefreshToken(org.springframework.security.oauth2.provider.OAuth2Request clientAuth) Is a refresh token supported for this client (or the global setting ifclientDetailsService
is not set.- Parameters:
clientAuth
- the current authorization request- Returns:
- boolean to indicate if refresh token is supported
-
rotate
protected void rotate(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken) Given a refresh token that is being used to request a new access token, perform rotation setup on it. This includes marking the token as rotated and setting the rotation expiration threshold in the datastore.- Parameters:
refreshToken
- A Spring-specific representation of the refresh token
-
invalidateLine
protected void invalidateLine(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken) Delete a refresh token and any associated members in the line- Parameters:
refreshToken
- A Spring-specific representation of the refresh token
-
isExpired
protected boolean isExpired(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken) Whether or not the refresh token is expired- Parameters:
refreshToken
- A Spring-specific representation of the refresh token- Returns:
- Whether or not the refresh token is expired
-