Class AuthorizedClient
- All Implemented Interfaces:
Serializable
RegisteredClient
which AuthenticationServices recognizes as
registered with itself in its capacity as an authorization server. It is distinct from
ClientRegistration
, which is for scenarios where AuthenticationServices is acting as a
client to other services.
AuthorizedClient
entities are members of an AuthorizationServer
.
- Author:
- Nick Crum (ncrum)
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected org.springframework.security.oauth2.server.authorization.settings.ClientSettings
BuildsRegisteredClient.getClientSettings()
matching this client.protected org.springframework.security.oauth2.server.authorization.settings.TokenSettings
BuildsRegisteredClient.getTokenSettings()
matching this client.protected boolean
protected Set<org.springframework.security.oauth2.core.ClientAuthenticationMethod>
clientAuthenticationMethodStringsToObjects
(Set<String> clientAuthenticationMethods) boolean
Populated if this authorized client is used for authorizing customer users in a certain application.Additional attributes for this client, not needed by the vanilla OAuth protocol but might be useful, for example, for storing descriptive information.The period of time, in seconds, that an auth code issued will be valid for.The authentication method(s) that the client may use.The OAuth2 client ID for this authorized client.Indicates the time at which thegetClientId()
was issued.The encrypted OAuth2 client secret for this authorized client.Indicates the time at whichgetClientSecret()
expires.The default redirect URI to use if a user accesses an authentication operation without a valid requested redirect location.The friendly name of this authorized client.The grant types for which this client is authorized.getId()
The primary key of this authorized client.Returns the Broadleaf permissions that are assigned as authorities to this client in an OAuth2 flow.A whitelist of redirect URIs that the caller can request redirect to after successful authentication related operations.The post logout redirect URI(s) that the client may use for logout.Whether the client is explicitly opted-in to PKCE for auth code flows.The pre-defined redirect URIs for this client to use during the "authorization_code" access grant.The period of time, in seconds, that an refresh token issued will be valid for.The base URI for the reset password form.These are values contributed to theAccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM
set on access tokens issued for this client.The scopes for this client.The ID of the authorization server this authorized client is part of.The period of time, in seconds, that an access token issued will be valid for.protected Set<org.springframework.security.oauth2.core.AuthorizationGrantType>
grantTypeStringsToObjects
(Set<String> grantTypes) int
hashCode()
boolean
isAdmin()
Whether or not this authorized client is used for authorizing admin users.boolean
Whentrue
,getResourceIds()
are considered authoritative.boolean
Determines a value forClientSettings.isRequireProofKey()
.boolean
Iftrue
,getRedirectUris()
will be dynamically modified/expanded at runtime (persisted state does not change) to effectively relax certain validations.boolean
Set totrue
if authorization consent is required when the client requests access.boolean
Controls whether auth uses theImpersonationRequest.getRedirect_uri()
when building the consume-token redirect URL after a successful impersonation request.void
setAdmin
(boolean isAdmin) Whether or not this authorized client is used for authorizing admin users.void
setApplicationId
(String applicationId) Populated if this authorized client is used for authorizing customer users in a certain application.void
setAttributes
(Map<String, Object> attributes) Additional attributes for this client, not needed by the vanilla OAuth protocol but might be useful, for example, for storing descriptive information.void
setAuthCodeTimeoutSeconds
(Integer authCodeTimeoutSeconds) The period of time, in seconds, that an auth code issued will be valid for.void
setAuthoritativeResourceIds
(boolean authoritativeResourceIds) Whentrue
,getResourceIds()
are considered authoritative.void
setClientAuthenticationMethods
(Set<String> clientAuthenticationMethods) The authentication method(s) that the client may use.void
setClientId
(String clientId) The OAuth2 client ID for this authorized client.void
setClientIdIssuedAt
(Instant clientIdIssuedAt) Indicates the time at which thegetClientId()
was issued.void
setClientSecret
(String clientSecret) The encrypted OAuth2 client secret for this authorized client.void
setClientSecretExpiresAt
(Instant clientSecretExpiresAt) Indicates the time at whichgetClientSecret()
expires.void
setDefaultRedirectUri
(String defaultRedirectUri) The default redirect URI to use if a user accesses an authentication operation without a valid requested redirect location.void
setFriendlyName
(String friendlyName) The friendly name of this authorized client.void
setGrantTypes
(Set<String> grantTypes) The grant types for which this client is authorized.void
The primary key of this authorized client.void
setPermissions
(Set<String> permissions) Returns the Broadleaf permissions that are assigned as authorities to this client in an OAuth2 flow.void
setPostAuthenticationSuccessRedirectUris
(Set<String> postAuthenticationSuccessRedirectUris) A whitelist of redirect URIs that the caller can request redirect to after successful authentication related operations.void
setPostLogoutRedirectUris
(Set<String> postLogoutRedirectUris) The post logout redirect URI(s) that the client may use for logout.void
setProofKeyRequired
(Boolean proofKeyRequired) Whether the client is explicitly opted-in to PKCE for auth code flows.void
setRedirectUris
(Set<String> redirectUris) The pre-defined redirect URIs for this client to use during the "authorization_code" access grant.void
setRefreshTokenTimeoutSeconds
(Integer refreshTokenTimeoutSeconds) The period of time, in seconds, that an refresh token issued will be valid for.void
setRelaxRedirectUrisValidation
(boolean relaxRedirectUrisValidation) Iftrue
,getRedirectUris()
will be dynamically modified/expanded at runtime (persisted state does not change) to effectively relax certain validations.void
setRequireAuthorizationConsent
(boolean requireAuthorizationConsent) Set totrue
if authorization consent is required when the client requests access.void
setResetPasswordBaseUri
(String resetPasswordBaseUri) The base URI for the reset password form.void
setResourceIds
(Set<String> resourceIds) These are values contributed to theAccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM
set on access tokens issued for this client.void
The scopes for this client.void
setServerId
(String serverId) The ID of the authorization server this authorized client is part of.void
setTokenTimeoutSeconds
(Integer tokenTimeoutSeconds) The period of time, in seconds, that an access token issued will be valid for.void
setUseRedirectUriToGenerateConsumeTokenUrl
(boolean useRedirectUriToGenerateConsumeTokenUrl) Controls whether auth uses theImpersonationRequest.getRedirect_uri()
when building the consume-token redirect URL after a successful impersonation request.org.springframework.security.oauth2.server.authorization.client.RegisteredClient
Converts thisAuthorizedClient
into aRegisteredClient
.toString()
-
Constructor Details
-
AuthorizedClient
public AuthorizedClient()
-
-
Method Details
-
toRegisteredClient
public org.springframework.security.oauth2.server.authorization.client.RegisteredClient toRegisteredClient()Converts thisAuthorizedClient
into aRegisteredClient
.In most cases, consumers should rely on
AuthorizedClientService.preProcessAndConvertToRegisteredClient(AuthorizedClient)
instead of calling this method directly.- Returns:
- this
AuthorizedClient
converted into aRegisteredClient
representation - See Also:
-
grantTypeStringsToObjects
-
clientAuthenticationMethodStringsToObjects
-
buildClientSettings
protected org.springframework.security.oauth2.server.authorization.settings.ClientSettings buildClientSettings()BuildsRegisteredClient.getClientSettings()
matching this client. The final instance combines separate first-class fields that can be managed via REST API calls (such asisRequireAuthorizationConsent()
) onAuthorizedClient
as well as system-computed values (such asisProofKeyRequired()
).- Returns:
- a client settings instance
-
isProofKeyRequired
public boolean isProofKeyRequired()Determines a value forClientSettings.isRequireProofKey()
.In the interest of having higher security defaults, Broadleaf requires Proof Key for Code Exchange (PKCE) for all clients by default who may engage in
AuthorizationGrantType.AUTHORIZATION_CODE
flows (regardless of whether the client is public/confidential).- Returns:
- a value for
ClientSettings.isRequireProofKey()
- See Also:
-
buildTokenSettings
protected org.springframework.security.oauth2.server.authorization.settings.TokenSettings buildTokenSettings()BuildsRegisteredClient.getTokenSettings()
matching this client. The final instance combines separate first-class fields that can be managed via REST API calls (such asgetTokenTimeoutSeconds()
) onAuthorizedClient
as well as system-computed values.- Returns:
- a token settings instance
-
getId
The primary key of this authorized client.- Returns:
- the primary key
-
getServerId
The ID of the authorization server this authorized client is part of.- Returns:
- the authorization server ID
-
getFriendlyName
The friendly name of this authorized client. Intended for display purposes- Returns:
- the friendly name
-
getClientId
The OAuth2 client ID for this authorized client. Usually generated as a randomized string.- Returns:
- the client ID
-
getClientIdIssuedAt
Indicates the time at which thegetClientId()
was issued. This is a completely optional field, and is not set by Broadleaf by default.- Returns:
- the time at which the client identifier was issued
- See Also:
-
RegisteredClient.getClientIdIssuedAt()
-
getClientSecret
The encrypted OAuth2 client secret for this authorized client. Not serialized as part of the response object.- Returns:
- the encrypted client secret
-
getClientSecretExpiresAt
Indicates the time at whichgetClientSecret()
expires. If not set, the client secret does not expire. Broadleaf does not set this value by default.- Returns:
- the time at which
getClientSecret()
expires - See Also:
-
RegisteredClient.getClientSecretExpiresAt()
-
getTokenTimeoutSeconds
The period of time, in seconds, that an access token issued will be valid for.- Returns:
- the timeout in seconds
-
getRefreshTokenTimeoutSeconds
The period of time, in seconds, that an refresh token issued will be valid for. A refresh token used within this timeframe will become invalid because of rotation. It should be generally considered that a refresh token can be used once.- Returns:
- the timeout in seconds
-
getAuthCodeTimeoutSeconds
The period of time, in seconds, that an auth code issued will be valid for.- Returns:
- the timeout in seconds
-
getResourceIds
These are values contributed to theAccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM
set on access tokens issued for this client.- Returns:
- the values to contribute to
AccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM
on tokens issued for this client - See Also:
-
isAuthoritativeResourceIds
public boolean isAuthoritativeResourceIds()Whentrue
,getResourceIds()
are considered authoritative. In other words, the tokens issued for this client will only contain audience values fromgetResourceIds()
and no other values. This can be useful in scenarios where a client needs to have highly specific resource restrictions.When
false
,getResourceIds()
are considered additive on top of defaults inherited from other places such asAuthorizationServerProperties.OAuth2.getAdditionalAudiences()
. In other words, the tokens issued for this client will contain audience values from bothgetResourceIds()
and any other inherited value.- Returns:
- true if
getResourceIds()
should be considered authoritative, false ifgetResourceIds()
should be considered additive - See Also:
-
getClientAuthenticationMethods
The authentication method(s) that the client may use. This should just beClientAuthenticationMethod.getValue()
. UseClientAuthenticationMethod.NONE
for public clients.This particularly affects how a client would provide its credentials to the '/token' endpoint.
- Returns:
- the authentication methods that the client may use
- See Also:
-
RegisteredClient.getClientAuthenticationMethods()
-
isRequireAuthorizationConsent
public boolean isRequireAuthorizationConsent()Set totrue
if authorization consent is required when the client requests access. This applies to all interactive flows (ex: authorization_code).This should typically be set to
false
for 'first-party' clients (such as the Broadleaf admin application) - this ensures the user is not shown a consent form whenever scopes are requested.NOTE - at this time, Broadleaf does not have OOB support for consent flows, so only set to
true
if there is a valid available implementation ofOAuth2AuthorizationConsentService
that can persist/load/validateOAuth2AuthorizationConsent
.- See Also:
-
ClientSettings.isRequireAuthorizationConsent()
-
getGrantTypes
The grant types for which this client is authorized.- Returns:
- The grant types for which this client is authorized.
-
getRedirectUris
The pre-defined redirect URIs for this client to use during the "authorization_code" access grant. See OAuth spec, section 4.1.1.Any of these values may be relative, and if so, the
AuthorizedClientService
will use theTenantUrlResolver
to determine the base URL to resolve them against such that ultimately they are absolute. If resolution to an absolute URL fails for whatever reason, the relative URL will be omitted from the finalRegisteredClient.getRedirectUris()
.These are exclusively intended to be for OAuth redirect validation, and not for validation of arbitrary redirects from various authentication operations such as login. See
getPostAuthenticationSuccessRedirectUris()
for more information.- Returns:
- The pre-defined redirect URIs for this client.
- See Also:
-
isRelaxRedirectUrisValidation
public boolean isRelaxRedirectUrisValidation()Iftrue
,getRedirectUris()
will be dynamically modified/expanded at runtime (persisted state does not change) to effectively relax certain validations. Iffalse
,getRedirectUris()
will be used as-is, resulting in strict comparison semantics.In most cases, setting this value to
true
is reasonable and can avoid requests being rejected for frivolous reasons such as trailing slash mismatches. However, in scenarios wheregetRedirectUris()
must be interpreted verbatim as defined, setting tofalse
can ensure exact match semantics apply and any variations are not allowed.- Returns:
- whether to relax validation on
getRedirectUris()
- See Also:
-
getPostAuthenticationSuccessRedirectUris
A whitelist of redirect URIs that the caller can request redirect to after successful authentication related operations. This can contain relative and absolute values.If none are configured or none match the request,
getDefaultRedirectUri()
should be used.Critically, this is distinct from
getRedirectUris()
and is not intended for use in OAuth validation.- Returns:
- a whitelist of redirect URIs that callers can request redirect to after successful authentication operations
- See Also:
-
getPostLogoutRedirectUris
The post logout redirect URI(s) that the client may use for logout.This is only applicable when using the OpenID Connect RP-Initiated Logout 1.0 flow.
- Returns:
- the post-logout redirect URIs that the client may use for logout
- See Also:
-
RegisteredClient.getPostLogoutRedirectUris()
OidcLogoutAuthenticationProvider
-
getScopes
The scopes for this client. Empty if the client isn't scoped.The scopes represent the "upper-bound" of what scopes a client is allowed to request. They will also be used as default scopes if no scopes are requested.
When this client is expected to be the final principal (ex: client credentials flow), these values represent all scopes that can be requested. Typically, the client credentials token request does not include any scopes, and all these scopes are granted.
For flows where a user is the final principal (ex: authorization code flow), these values represent the upper-bound of what can be granted. Token requests typically include a scope that must be declared in this field.
- Returns:
- The scopes of this client.
- See Also:
-
getPermissions
Returns the Broadleaf permissions that are assigned as authorities to this client in an OAuth2 flow. These apply to client-only flows (ex:AuthorizationGrantType.CLIENT_CREDENTIALS
). These do not apply to user flows.- Returns:
- the permissions this client is assigned (never
null
) - See Also:
-
getApplicationId
Populated if this authorized client is used for authorizing customer users in a certain application. This is generally used in discovering the authorized client or authorization server for customer users.- Returns:
- the application ID this client is used in, or null if not used for customers
-
getAttributes
Additional attributes for this client, not needed by the vanilla OAuth protocol but might be useful, for example, for storing descriptive information.- Returns:
- a map of additional attributes
-
getDefaultRedirectUri
The default redirect URI to use if a user accesses an authentication operation without a valid requested redirect location.In many cases, this is effectively the default value to use if a match is not found in
getPostAuthenticationSuccessRedirectUris()
or if no value was explicitly requested.This is distinct from
getRedirectUris()
and is not intended for use with OAuth-specific validations.- Returns:
- a string representing the default fallback URI
- See Also:
-
getResetPasswordBaseUri
The base URI for the reset password form. This is used when generating a reset password link so the user is directed to the right domain hosting the form. If blank,defaultRedirectUri
will be used.This can be different from
defaultRedirectUri
in cases where the frontend app is on a different domain than Auth and SSO is still being used, i.e., the reset password form is onhttps://www.my-auth-server.com
and the frontend ishttps://www.my-store.com
. In such a case, thedefaultRedirectUri
would behttps://www.my-store.com
butresetPasswordBaseUri
would behttps://www.my-auth-server.com
. -
isUseRedirectUriToGenerateConsumeTokenUrl
public boolean isUseRedirectUriToGenerateConsumeTokenUrl()Controls whether auth uses theImpersonationRequest.getRedirect_uri()
when building the consume-token redirect URL after a successful impersonation request. The consume token endpoint will add a session cookie identifying the user as a CSR so they do not need to log in on the storefront. The alternative is to build a relative URL to redirect to the same domain as the impersonation endpoint.This is
true
by default.The reason to redirect to the consume-token endpoint using the
ImpersonationRequest.getRedirect_uri()
is to ensure the cookie is set on the same domain as the storefront in cases where the admin and storefront are on separate domains but both can access Auth on their own domains. That is possible when using the standard deployment configuration where all apps and services are deployed behind the Admin and Commerce Gateways.Suppose that admin and storefront apps are on different domains:
admin.mycompany.com
andstore.mycompany.com
, in this case if the impersonate endpoint added the cookie, it would be onadmin.mycompany.com
and therefore not accessible onstore.mycompany.com
. To work around this limitation, the system can redirect tostore.mycompany.com/auth/consume-token
and then add the session token so that it is on the same domain as the storefront.However, if Auth is accessed through a different domain than the storefront app (e.g.,
auth.mycompany.com
), then this redirect will not be useful. Such a case typically occurs when also using refresh-token-rotation. -
getProofKeyRequired
Whether the client is explicitly opted-in to PKCE for auth code flows. The default is true if this value is unset. -
setId
The primary key of this authorized client.- Parameters:
id
- the primary key
-
setServerId
The ID of the authorization server this authorized client is part of.- Parameters:
serverId
- the authorization server ID
-
setFriendlyName
The friendly name of this authorized client. Intended for display purposes- Parameters:
friendlyName
- the friendly name
-
setClientId
The OAuth2 client ID for this authorized client. Usually generated as a randomized string.- Parameters:
clientId
- the client ID
-
setClientIdIssuedAt
Indicates the time at which thegetClientId()
was issued. This is a completely optional field, and is not set by Broadleaf by default.- Parameters:
clientIdIssuedAt
- The time at which the client identifier was issued- See Also:
-
RegisteredClient.getClientIdIssuedAt()
-
setClientSecret
The encrypted OAuth2 client secret for this authorized client. Not serialized as part of the response object.- Parameters:
clientSecret
- the encrypted client secret
-
setClientSecretExpiresAt
Indicates the time at whichgetClientSecret()
expires. If not set, the client secret does not expire. Broadleaf does not set this value by default.- Parameters:
clientSecretExpiresAt
- the time at whichgetClientSecret()
expires- See Also:
-
RegisteredClient.getClientSecretExpiresAt()
-
setTokenTimeoutSeconds
The period of time, in seconds, that an access token issued will be valid for.- Parameters:
tokenTimeoutSeconds
- the timeout in seconds
-
setRefreshTokenTimeoutSeconds
The period of time, in seconds, that an refresh token issued will be valid for. A refresh token used within this timeframe will become invalid because of rotation. It should be generally considered that a refresh token can be used once.- Parameters:
refreshTokenTimeoutSeconds
- the timeout in seconds
-
setAuthCodeTimeoutSeconds
The period of time, in seconds, that an auth code issued will be valid for.- Parameters:
authCodeTimeoutSeconds
- the timeout in seconds
-
setResourceIds
These are values contributed to theAccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM
set on access tokens issued for this client.- Parameters:
resourceIds
- the values to contribute toAccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM
on tokens issued for this client- See Also:
-
setAuthoritativeResourceIds
public void setAuthoritativeResourceIds(boolean authoritativeResourceIds) Whentrue
,getResourceIds()
are considered authoritative. In other words, the tokens issued for this client will only contain audience values fromgetResourceIds()
and no other values. This can be useful in scenarios where a client needs to have highly specific resource restrictions.When
false
,getResourceIds()
are considered additive on top of defaults inherited from other places such asAuthorizationServerProperties.OAuth2.getAdditionalAudiences()
. In other words, the tokens issued for this client will contain audience values from bothgetResourceIds()
and any other inherited value.- Parameters:
authoritativeResourceIds
- true ifgetResourceIds()
should be considered authoritative, false ifgetResourceIds()
should be considered additive- See Also:
-
setClientAuthenticationMethods
The authentication method(s) that the client may use. This should just beClientAuthenticationMethod.getValue()
. UseClientAuthenticationMethod.NONE
for public clients.This particularly affects how a client would provide its credentials to the '/token' endpoint.
- Parameters:
clientAuthenticationMethods
- the authentication methods that the client may use- See Also:
-
RegisteredClient.getClientAuthenticationMethods()
-
setRequireAuthorizationConsent
public void setRequireAuthorizationConsent(boolean requireAuthorizationConsent) Set totrue
if authorization consent is required when the client requests access. This applies to all interactive flows (ex: authorization_code).This should typically be set to
false
for 'first-party' clients (such as the Broadleaf admin application) - this ensures the user is not shown a consent form whenever scopes are requested.NOTE - at this time, Broadleaf does not have OOB support for consent flows, so only set to
true
if there is a valid available implementation ofOAuth2AuthorizationConsentService
that can persist/load/validateOAuth2AuthorizationConsent
.- See Also:
-
ClientSettings.isRequireAuthorizationConsent()
-
setGrantTypes
The grant types for which this client is authorized.- Parameters:
grantTypes
- the grant types
-
setRedirectUris
The pre-defined redirect URIs for this client to use during the "authorization_code" access grant. See OAuth spec, section 4.1.1.Any of these values may be relative, and if so, the
AuthorizedClientService
will use theTenantUrlResolver
to determine the base URL to resolve them against such that ultimately they are absolute. If resolution to an absolute URL fails for whatever reason, the relative URL will be omitted from the finalRegisteredClient.getRedirectUris()
.These are exclusively intended to be for OAuth redirect validation, and not for validation of arbitrary redirects from various authentication operations such as login. See
getPostAuthenticationSuccessRedirectUris()
for more information.- Parameters:
redirectUris
- the redirect URIs- See Also:
-
setRelaxRedirectUrisValidation
public void setRelaxRedirectUrisValidation(boolean relaxRedirectUrisValidation) Iftrue
,getRedirectUris()
will be dynamically modified/expanded at runtime (persisted state does not change) to effectively relax certain validations. Iffalse
,getRedirectUris()
will be used as-is, resulting in strict comparison semantics.In most cases, setting this value to
true
is reasonable and can avoid requests being rejected for frivolous reasons such as trailing slash mismatches. However, in scenarios wheregetRedirectUris()
must be interpreted verbatim as defined, setting tofalse
can ensure exact match semantics apply and any variations are not allowed.- Parameters:
relaxRedirectUrisValidation
- whether to relax validation ongetRedirectUris()
- See Also:
-
setPostAuthenticationSuccessRedirectUris
public void setPostAuthenticationSuccessRedirectUris(Set<String> postAuthenticationSuccessRedirectUris) A whitelist of redirect URIs that the caller can request redirect to after successful authentication related operations. This can contain relative and absolute values.If none are configured or none match the request,
getDefaultRedirectUri()
should be used.Critically, this is distinct from
getRedirectUris()
and is not intended for use in OAuth validation.- Parameters:
postAuthenticationSuccessRedirectUris
- a whitelist of redirect URIs that callers can request redirect to after successful authentication operations- See Also:
-
setPostLogoutRedirectUris
The post logout redirect URI(s) that the client may use for logout.This is only applicable when using the OpenID Connect RP-Initiated Logout 1.0 flow.
- Parameters:
postLogoutRedirectUris
- the post-logout redirect URIs that the client may use for logout- See Also:
-
RegisteredClient.getPostLogoutRedirectUris()
OidcLogoutAuthenticationProvider
-
setScopes
The scopes for this client. Empty if the client isn't scoped.The scopes represent the "upper-bound" of what scopes a client is allowed to request. They will also be used as default scopes if no scopes are requested.
When this client is expected to be the final principal (ex: client credentials flow), these values represent all scopes that can be requested. Typically, the client credentials token request does not include any scopes, and all these scopes are granted.
For flows where a user is the final principal (ex: authorization code flow), these values represent the upper-bound of what can be granted. Token requests typically include a scope that must be declared in this field.
- Parameters:
scopes
- The Set of scopes to assign to this client.- See Also:
-
setPermissions
Returns the Broadleaf permissions that are assigned as authorities to this client in an OAuth2 flow. These apply to client-only flows (ex:AuthorizationGrantType.CLIENT_CREDENTIALS
). These do not apply to user flows.- Parameters:
permissions
- the permissions this client is assigned- See Also:
-
setAdmin
public void setAdmin(boolean isAdmin) Whether or not this authorized client is used for authorizing admin users. This is generally used in discovering the authorized client or authorization server for admin users.- Parameters:
isAdmin
- whether or not this authorized client is for admin users
-
setApplicationId
Populated if this authorized client is used for authorizing customer users in a certain application. This is generally used in discovering the authorized client or authorization server for customer users.- Parameters:
applicationId
- the application ID this client is used in
-
setAttributes
Additional attributes for this client, not needed by the vanilla OAuth protocol but might be useful, for example, for storing descriptive information.- Parameters:
attributes
- the additional attributes
-
setDefaultRedirectUri
The default redirect URI to use if a user accesses an authentication operation without a valid requested redirect location.In many cases, this is effectively the default value to use if a match is not found in
getPostAuthenticationSuccessRedirectUris()
or if no value was explicitly requested.This is distinct from
getRedirectUris()
and is not intended for use with OAuth-specific validations.- Parameters:
defaultRedirectUri
- the default fallback URI to use for this client- See Also:
-
setResetPasswordBaseUri
The base URI for the reset password form. This is used when generating a reset password link so the user is directed to the right domain hosting the form. If blank,defaultRedirectUri
will be used.This can be different from
defaultRedirectUri
in cases where the frontend app is on a different domain than Auth and SSO is still being used, i.e., the reset password form is onhttps://www.my-auth-server.com
and the frontend ishttps://www.my-store.com
. In such a case, thedefaultRedirectUri
would behttps://www.my-store.com
butresetPasswordBaseUri
would behttps://www.my-auth-server.com
. -
setUseRedirectUriToGenerateConsumeTokenUrl
public void setUseRedirectUriToGenerateConsumeTokenUrl(boolean useRedirectUriToGenerateConsumeTokenUrl) Controls whether auth uses theImpersonationRequest.getRedirect_uri()
when building the consume-token redirect URL after a successful impersonation request. The consume token endpoint will add a session cookie identifying the user as a CSR so they do not need to log in on the storefront. The alternative is to build a relative URL to redirect to the same domain as the impersonation endpoint.This is
true
by default.The reason to redirect to the consume-token endpoint using the
ImpersonationRequest.getRedirect_uri()
is to ensure the cookie is set on the same domain as the storefront in cases where the admin and storefront are on separate domains but both can access Auth on their own domains. That is possible when using the standard deployment configuration where all apps and services are deployed behind the Admin and Commerce Gateways.Suppose that admin and storefront apps are on different domains:
admin.mycompany.com
andstore.mycompany.com
, in this case if the impersonate endpoint added the cookie, it would be onadmin.mycompany.com
and therefore not accessible onstore.mycompany.com
. To work around this limitation, the system can redirect tostore.mycompany.com/auth/consume-token
and then add the session token so that it is on the same domain as the storefront.However, if Auth is accessed through a different domain than the storefront app (e.g.,
auth.mycompany.com
), then this redirect will not be useful. Such a case typically occurs when also using refresh-token-rotation. -
setProofKeyRequired
Whether the client is explicitly opted-in to PKCE for auth code flows. The default is true if this value is unset. -
equals
-
canEqual
-
hashCode
public int hashCode() -
toString
-
isAdmin
public boolean isAdmin()Whether or not this authorized client is used for authorizing admin users. This is generally used in discovering the authorized client or authorization server for admin users.- Returns:
- whether or not this authorized client is for admin users
-