Package com.broadleafcommerce.auth.token.service

Class DefaultRotatingTokenServices

java.lang.Object
com.broadleafcommerce.auth.token.service.DefaultRotatingTokenServices
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices, org.springframework.security.oauth2.provider.token.ConsumerTokenServices, org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
public class DefaultRotatingTokenServices extends Object implements org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices, org.springframework.security.oauth2.provider.token.ResourceServerTokenServices, org.springframework.security.oauth2.provider.token.ConsumerTokenServices, org.springframework.beans.factory.InitializingBean
Based on DefaultTokenServices. Honors refresh token rotation behavior.

Broadleaf primarily supports the notion of oauth refresh tokens in the context of the auth code flow, and only through the use of rotation. This means that, when enabled, a new refresh token is returned with every acquisition of access token from the auth server. Furthermore, each of these refresh tokens may be used only once, with the exception of the boundary defined in RefreshToken.getRotationExpiration().

There are several requirements to use refresh token rotation:
  1. The JpaAuthorizedClient.getGrantTypes() list must include refresh_token when that client is targeted in an oauth flow
  2. The property broadleaf.auth.token.support-refresh-token-rotation must be set to true in your application property file
  3. The scopes requested during both auth code and token acquisition API calls must include the OFFLINE_ACCESS scope
The combinations of these three factors should allow for granular refresh token use cases, even within the context of a single oauth client.

  • Constructor Summary

    Constructors
    Constructor
    Description
    DefaultRotatingTokenServices(TokenProperties properties)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    afterPropertiesSet()
    Initialize these token services.
    org.springframework.security.oauth2.common.OAuth2AccessToken
    createAccessToken(org.springframework.security.oauth2.provider.OAuth2Authentication authentication)
     
    org.springframework.security.oauth2.common.OAuth2AccessToken
    getAccessToken(org.springframework.security.oauth2.provider.OAuth2Authentication authentication)
     
    protected int
    getAccessTokenValiditySeconds(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
    The access token validity period in seconds
    String
    getClientId(String tokenValue)
     
    protected int
    getRefreshTokenValiditySeconds(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
    The refresh token validity period in seconds
    protected void
    invalidateLine(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
    Delete a refresh token and any associated members in the line
    protected boolean
    isExpired(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
    Whether or not the refresh token is expired
    protected boolean
    isSupportRefreshToken(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
    Is a refresh token supported for this client (or the global setting if clientDetailsService is not set.
    org.springframework.security.oauth2.provider.OAuth2Authentication
    loadAuthentication(String accessTokenValue)
     
    org.springframework.security.oauth2.common.OAuth2AccessToken
    readAccessToken(String accessToken)
     
    org.springframework.security.oauth2.common.OAuth2AccessToken
    refreshAccessToken(String refreshTokenValue, org.springframework.security.oauth2.provider.TokenRequest tokenRequest)
     
    boolean
    revokeToken(String tokenValue)
    Revoke a refresh token
    protected void
    rotate(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
    Given a refresh token that is being used to request a new access token, perform rotation setup on it.
    void
    setAccessTokenValiditySeconds(int accessTokenValiditySeconds)
    The default validity (in seconds) of the access token.
    void
    setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)
    An authentication manager that will be used (if provided) to check the user authentication when a token is refreshed.
    void
    setClientDetailsService(org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService)
    The client details service to use for looking up clients (if necessary).
    void
    setRefreshTokenValiditySeconds(int refreshTokenValiditySeconds)
    The validity (in seconds) of the refresh token.
    void
    setTokenEnhancer(org.springframework.security.oauth2.provider.token.TokenEnhancer accessTokenEnhancer)
    An access token enhancer that will be applied to a new token before it is saved in the token store.
    void
    setTokenStore(RotatableTokenStore tokenStore)
    The persistence strategy for token storage.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • DefaultRotatingTokenServices

      public DefaultRotatingTokenServices(TokenProperties properties)

  • Method Details

    • afterPropertiesSet

      public void afterPropertiesSet() throws Exception
      Initialize these token services.
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
      Throws:
      Exception

    • createAccessToken

      @Transactional public org.springframework.security.oauth2.common.OAuth2AccessToken createAccessToken(org.springframework.security.oauth2.provider.OAuth2Authentication authentication) throws org.springframework.security.core.AuthenticationException
      Specified by:
      createAccessToken in interface org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
      Throws:
      org.springframework.security.core.AuthenticationException

    • refreshAccessToken

      @Transactional(noRollbackFor={org.springframework.security.oauth2.common.exceptions.InvalidTokenException.class,org.springframework.security.oauth2.common.exceptions.InvalidGrantException.class}) public org.springframework.security.oauth2.common.OAuth2AccessToken refreshAccessToken(String refreshTokenValue, org.springframework.security.oauth2.provider.TokenRequest tokenRequest) throws org.springframework.security.core.AuthenticationException
      Specified by:
      refreshAccessToken in interface org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
      Throws:
      org.springframework.security.core.AuthenticationException

    • loadAuthentication

      public org.springframework.security.oauth2.provider.OAuth2Authentication loadAuthentication(String accessTokenValue) throws org.springframework.security.core.AuthenticationException, org.springframework.security.oauth2.common.exceptions.InvalidTokenException
      Specified by:
      loadAuthentication in interface org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
      Throws:
      org.springframework.security.core.AuthenticationException
      org.springframework.security.oauth2.common.exceptions.InvalidTokenException

    • getClientId

      public String getClientId(String tokenValue)

    • revokeToken

      public boolean revokeToken(String tokenValue)
      Revoke a refresh token
      Specified by:
      revokeToken in interface org.springframework.security.oauth2.provider.token.ConsumerTokenServices
      Parameters:
      tokenValue - Refresh token
      Returns:
      true if token is invalidated, false if token is not found

    • getAccessToken

      public org.springframework.security.oauth2.common.OAuth2AccessToken getAccessToken(org.springframework.security.oauth2.provider.OAuth2Authentication authentication)
      Specified by:
      getAccessToken in interface org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices

    • readAccessToken

      public org.springframework.security.oauth2.common.OAuth2AccessToken readAccessToken(String accessToken)
      Specified by:
      readAccessToken in interface org.springframework.security.oauth2.provider.token.ResourceServerTokenServices

    • setTokenEnhancer

      public void setTokenEnhancer(org.springframework.security.oauth2.provider.token.TokenEnhancer accessTokenEnhancer)
      An access token enhancer that will be applied to a new token before it is saved in the token store.
      Parameters:
      accessTokenEnhancer - the access token enhancer to set

    • setRefreshTokenValiditySeconds

      public void setRefreshTokenValiditySeconds(int refreshTokenValiditySeconds)
      The validity (in seconds) of the refresh token. If less than or equal to zero then the tokens will be non-expiring.
      Parameters:
      refreshTokenValiditySeconds - The validity (in seconds) of the refresh token.

    • setAccessTokenValiditySeconds

      public void setAccessTokenValiditySeconds(int accessTokenValiditySeconds)
      The default validity (in seconds) of the access token. Zero or negative for non-expiring tokens. If a client details service is set the validity period will be read from the client, defaulting to this value if not defined by the client.
      Parameters:
      accessTokenValiditySeconds - The validity (in seconds) of the access token.

    • setTokenStore

      public void setTokenStore(RotatableTokenStore tokenStore)
      The persistence strategy for token storage.
      Parameters:
      tokenStore - the store for access and refresh tokens.

    • setAuthenticationManager

      public void setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)
      An authentication manager that will be used (if provided) to check the user authentication when a token is refreshed.
      Parameters:
      authenticationManager - the authenticationManager to set

    • setClientDetailsService

      public void setClientDetailsService(org.springframework.security.oauth2.provider.ClientDetailsService clientDetailsService)
      The client details service to use for looking up clients (if necessary). Optional if the access token expiry is set globally via setAccessTokenValiditySeconds(int).
      Parameters:
      clientDetailsService - the client details service

    • getAccessTokenValiditySeconds

      protected int getAccessTokenValiditySeconds(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
      The access token validity period in seconds
      Parameters:
      clientAuth - the current authorization request
      Returns:
      the access token validity period in seconds

    • getRefreshTokenValiditySeconds

      protected int getRefreshTokenValiditySeconds(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
      The refresh token validity period in seconds
      Parameters:
      clientAuth - the current authorization request
      Returns:
      the refresh token validity period in seconds

    • isSupportRefreshToken

      protected boolean isSupportRefreshToken(org.springframework.security.oauth2.provider.OAuth2Request clientAuth)
      Is a refresh token supported for this client (or the global setting if clientDetailsService is not set.
      Parameters:
      clientAuth - the current authorization request
      Returns:
      boolean to indicate if refresh token is supported

    • rotate

      protected void rotate(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
      Given a refresh token that is being used to request a new access token, perform rotation setup on it. This includes marking the token as rotated and setting the rotation expiration threshold in the datastore.
      Parameters:
      refreshToken - A Spring-specific representation of the refresh token

    • invalidateLine

      protected void invalidateLine(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
      Delete a refresh token and any associated members in the line
      Parameters:
      refreshToken - A Spring-specific representation of the refresh token

    • isExpired

      protected boolean isExpired(org.springframework.security.oauth2.common.OAuth2RefreshToken refreshToken)
      Whether or not the refresh token is expired
      Parameters:
      refreshToken - A Spring-specific representation of the refresh token
      Returns:
      Whether or not the refresh token is expired