Serialized Form
-
Package com.broadleafcommerce.auth.authorization.provider.jpa.domain
-
Class com.broadleafcommerce.auth.authorization.provider.jpa.domain.JpaOAuth2Authorization
class JpaOAuth2Authorization extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
accessTokenExpiresAt
Long accessTokenExpiresAt
-
accessTokenIssuedAt
Long accessTokenIssuedAt
-
accessTokenMetadata
String accessTokenMetadata
-
accessTokenScopes
String accessTokenScopes
-
accessTokenType
String accessTokenType
-
accessTokenValue
String accessTokenValue
-
accessTokenValueHash
String accessTokenValueHash
The column length ofJpaOAuth2Authorization.getAccessTokenValue()
forces it to be a non-queryable, non-indexable Lob on certain database providers.This column should contain some hashed representation of the
JpaOAuth2Authorization.getAccessTokenValue()
(if present). The main idea is for indexing and queries to be run against this smaller hash rather than the raw value directly.Note - the hashing algorithm must be strongly collision resistant to minimize the chances of multiple values sharing the same hash. Furthermore, even with a strong hashing algorithm, all queries must account for the fact that collisions are inevitable and should not assume that a query for a particular hash will only ever return a single result. Queries should examine the result list, and if more than one result is returned for the same hash, perform direct in-memory comparison of
JpaOAuth2Authorization.getAccessTokenValue()
to drop unexpected results.- See Also:
-
attributes
String attributes
-
authorizationCodeExpiresAt
Long authorizationCodeExpiresAt
-
authorizationCodeIssuedAt
Long authorizationCodeIssuedAt
-
authorizationCodeMetadata
String authorizationCodeMetadata
-
authorizationCodeValue
String authorizationCodeValue
-
authorizationGrantType
String authorizationGrantType
-
authorizedScopes
String authorizedScopes
-
deviceCodeExpiresAt
Long deviceCodeExpiresAt
-
deviceCodeIssuedAt
Long deviceCodeIssuedAt
-
deviceCodeMetadata
String deviceCodeMetadata
-
deviceCodeValue
String deviceCodeValue
-
id
String id
-
oicdIdTokenExpiresAt
Long oicdIdTokenExpiresAt
-
oid
String oid
-
oidcIdTokenIssuedAt
Long oidcIdTokenIssuedAt
-
oidcIdTokenMetadata
String oidcIdTokenMetadata
-
oidcIdTokenValue
String oidcIdTokenValue
-
oidcIdTokenValueHash
String oidcIdTokenValueHash
The column length ofJpaOAuth2Authorization.getOidcIdTokenValue()
forces it to be a non-queryable, non-indexable Lob on certain database providers.This column should contain some hashed representation of the
JpaOAuth2Authorization.getOidcIdTokenValue()
(if present). The main idea is for indexing and queries to be run against this smaller hash rather than the raw value directly.Note - the hashing algorithm must be strongly collision resistant to minimize the chances of multiple values sharing the same hash. Furthermore, even with a strong hashing algorithm, all queries must account for the fact that collisions are inevitable and should not assume that a query for a particular hash will only ever return a single result. Queries should examine the result list, and if more than one result is returned for the same hash, perform direct in-memory comparison of
JpaOAuth2Authorization.getOidcIdTokenValue()
to drop unexpected results.- See Also:
-
principalName
String principalName
-
refreshTokenExpiresAt
Long refreshTokenExpiresAt
-
refreshTokenIssuedAt
Long refreshTokenIssuedAt
-
refreshTokenMetadata
String refreshTokenMetadata
-
refreshTokenValue
String refreshTokenValue
-
registeredClientId
String registeredClientId
-
state
String state
-
userCodeExpiresAt
Long userCodeExpiresAt
-
userCodeIssuedAt
Long userCodeIssuedAt
-
userCodeMetadata
String userCodeMetadata
-
userCodeValue
String userCodeValue
-
-
-
Package com.broadleafcommerce.auth.authorization.security.embedded.code
-
Class com.broadleafcommerce.auth.authorization.security.embedded.code.EmbeddedLoginCodeAuthenticationToken
class EmbeddedLoginCodeAuthenticationToken extends org.springframework.security.authentication.AbstractAuthenticationToken implements Serializable
-
-
Package com.broadleafcommerce.auth.authorization.security.embedded.exception
-
Exception com.broadleafcommerce.auth.authorization.security.embedded.exception.EmbeddedLoginNotAllowedException
class EmbeddedLoginNotAllowedException extends org.springframework.security.core.AuthenticationException implements Serializable-
Serialized Fields
-
authServerId
String authServerId
ID of theAuthorizationServer
that received the request. -
clientId
String clientId
ID of theAuthorizedClient
that received the request.
-
-
-
Exception com.broadleafcommerce.auth.authorization.security.embedded.exception.EmbeddedLoginOTPResponseException
class EmbeddedLoginOTPResponseException extends org.springframework.security.core.AuthenticationException implements Serializable -
Exception com.broadleafcommerce.auth.authorization.security.embedded.exception.EmbeddedRegistrationNotAllowedException
class EmbeddedRegistrationNotAllowedException extends RuntimeException implements Serializable-
Serialized Fields
-
authServerId
String authServerId
ID of theAuthorizationServer
that received the request. -
clientId
String clientId
ID of theAuthorizedClient
that received the request.
-
-
-
-
Package com.broadleafcommerce.auth.authorization.security.embedded.login
-
Class com.broadleafcommerce.auth.authorization.security.embedded.login.EmbeddedLoginAuthenticationToken
class EmbeddedLoginAuthenticationToken extends FormLoginAuthenticationToken implements Serializable- serialVersionUID:
- 1L
-
-
Package com.broadleafcommerce.auth.client.domain
-
Class com.broadleafcommerce.auth.client.domain.OAuthClientRegistrationProviderDetails
class OAuthClientRegistrationProviderDetails extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
authorizationUri
String authorizationUri
- See Also:
-
ClientRegistration.ProviderDetails.getAuthorizationUri()
-
configurationMetadata
Map<String,
Object> configurationMetadata - See Also:
-
ClientRegistration.ProviderDetails.getConfigurationMetadata()
-
issuerUri
String issuerUri
URI that can either be an OpenID Connect discovery endpoint or an OAuth 2.0 Authorization Server Metadata endpoint defined by RFC 8414.This is used to gather the provider details which would otherwise be unknown since some providers only provide this to integrators.
-
jwkSetUri
String jwkSetUri
- See Also:
-
ClientRegistration.ProviderDetails.getJwkSetUri()
-
registrationId
String registrationId
The ID of the registered provider. Should matchOAuthClientRegistrationWrapper.getRegistrationId()
. -
tokenUri
String tokenUri
- See Also:
-
ClientRegistration.ProviderDetails.getTokenUri()
-
userInfoEndpoint
OAuthClientRegistrationProviderDetails.UserInfoEndpoint userInfoEndpoint
- See Also:
-
ClientRegistration.ProviderDetails.getUserInfoEndpoint()
-
-
Class com.broadleafcommerce.auth.client.domain.OAuthClientRegistrationProviderDetails.UserInfoEndpoint
class UserInfoEndpoint extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
authenticationMethod
String authenticationMethod
- See Also:
-
ClientRegistration.ProviderDetails.UserInfoEndpoint.getAuthenticationMethod()
-
uri
String uri
- See Also:
-
ClientRegistration.ProviderDetails.UserInfoEndpoint.getUri()
-
userNameAttributeName
String userNameAttributeName
- See Also:
-
ClientRegistration.ProviderDetails.UserInfoEndpoint.getUserNameAttributeName()
-
-
Class com.broadleafcommerce.auth.client.domain.OAuthClientRegistrationWrapper
class OAuthClientRegistrationWrapper extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
authorizationGrantType
String authorizationGrantType
- See Also:
-
ClientRegistration.getAuthorizationGrantType()
-
clientAuthenticationMethod
String clientAuthenticationMethod
- See Also:
-
ClientRegistration.getClientAuthenticationMethod()
-
clientId
String clientId
- See Also:
-
ClientRegistration.getClientId()
-
clientName
String clientName
- See Also:
-
ClientRegistration.getClientName()
-
clientSecret
String clientSecret
- See Also:
-
ClientRegistration.getClientSecret()
-
id
String id
The system ID of the registration -
providerDetails
OAuthClientRegistrationProviderDetails providerDetails
- See Also:
-
ClientRegistration.getProviderDetails()
OAuthClientRegistrationProviderDetails
-
redirectUriTemplate
String redirectUriTemplate
- See Also:
-
ClientRegistration.getRedirectUri()
-
registrationId
String registrationId
- See Also:
-
ClientRegistration.getRegistrationId()
-
scopes
Set<String> scopes
- See Also:
-
ClientRegistration.getScopes()
-
tenantId
String tenantId
The ID of theTenant
this registration belongs to. Different tenants can have different credentials for the same client provider (e.g. Facebook, Google).
-
-
-
Package com.broadleafcommerce.auth.client.provider.authentication
-
Class com.broadleafcommerce.auth.client.provider.authentication.BroadleafOAuthClientAuthenticationDetails
class BroadleafOAuthClientAuthenticationDetails extends Object implements Serializable-
Serialized Fields
-
clientId
String clientId
-
-
-
-
Package com.broadleafcommerce.auth.client.provider.jpa.domain
-
Class com.broadleafcommerce.auth.client.provider.jpa.domain.JpaOAuthClientProviderDetails
class JpaOAuthClientProviderDetails extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
authorizationUri
String authorizationUri
-
configurationMetadata
Map<String,
Object> configurationMetadata -
id
String id
-
jwkSetUri
String jwkSetUri
-
registrationId
String registrationId
-
tokenUri
String tokenUri
-
userInfoAuthenticationMethod
String userInfoAuthenticationMethod
-
userInfoUri
String userInfoUri
-
userInfoUserNameAttributeName
String userInfoUserNameAttributeName
-
-
Class com.broadleafcommerce.auth.client.provider.jpa.domain.JpaOAuthClientRegistration
class JpaOAuthClientRegistration extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
authorizationGrantType
String authorizationGrantType
-
clientAuthenticationMethod
String clientAuthenticationMethod
-
clientId
String clientId
-
clientName
String clientName
-
clientSecret
String clientSecret
-
id
String id
-
providerDetails
JpaOAuthClientProviderDetails providerDetails
-
redirectUriTemplate
String redirectUriTemplate
-
registrationId
String registrationId
-
scopes
Set<String> scopes
-
tenantId
String tenantId
-
-
-
Package com.broadleafcommerce.auth.client.web.authentication.session.exception
-
Exception com.broadleafcommerce.auth.client.web.authentication.session.exception.MissingOAuth2AuthenticationAttributeException
class MissingOAuth2AuthenticationAttributeException extends RuntimeException implements Serializable
-
-
Package com.broadleafcommerce.auth.passcode.service
-
Exception com.broadleafcommerce.auth.passcode.service.PasscodeNotConsumedException
class PasscodeNotConsumedException extends Exception implements Serializable
-
-
Package com.broadleafcommerce.auth.repository.provider.hibernate.generation
-
Class com.broadleafcommerce.auth.repository.provider.hibernate.generation.ULIDGenerationStrategy
class ULIDGenerationStrategy extends Object implements Serializable
-
-
Package com.broadleafcommerce.auth.resource.domain
-
Class com.broadleafcommerce.auth.resource.domain.AccountRole
class AccountRole extends Object implements Serializable-
Serialized Fields
-
accountId
String accountId
-
active
boolean active
-
id
String id
-
roleRef
UserRoleRef roleRef
-
userId
String userId
-
-
-
Class com.broadleafcommerce.auth.resource.domain.RestrictedPermission
class RestrictedPermission extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
permission
UserPermissionRef permission
Represents the permission that is being restricted. -
restriction
Restriction restriction
Represents the restriction on this permission.
-
-
Class com.broadleafcommerce.auth.resource.domain.RestrictedRole
class RestrictedRole extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
restriction
Restriction restriction
Represents the restriction on this role. -
role
UserRoleRef role
Represents the role that is being restricted.
-
-
Class com.broadleafcommerce.auth.resource.domain.Restriction
class Restriction extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.resource.domain.User
class User extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
accountRoles
List<AccountRole> accountRoles
Roles this user has under specific Account contexts. -
active
boolean active
A flag indicating whether the user account is enabled. If false, they will not be able to log in.This flag should be used if a user needs to be enabled/disabled for administrative reasons.
-
applicationAccess
boolean applicationAccess
Indicates whether this user has access at the application level or not.This field only applies to
UserType.ADMIN
users.UserType.CUSTOMER
will always have application level access regardless of this value. -
applicationIds
Set<String> applicationIds
This field only applies toUserType.ADMIN
users.The ids of applications this user is a member of. If this is non-empty, this user is restricted to these applications.
-
archived
boolean archived
This entity is soft-deleted instead of hard-deleted, and this field is set totrue
when the entity is soft-deleted. -
attributes
Map<String,
Object> attributes Arbitrary attributes associated with this user. May include custom claims, customer segment ids, or any other attributes that are not first class user fields. -
changePasswordRequired
boolean changePasswordRequired
A flag indicating whether the admin user account requires a password reset. If true, they will not be able to log in until they reset their password. -
customerContextId
String customerContextId
This field only applies toUserType.CUSTOMER
users.The id of the customer context this user is a member of. If this is set, this user is restricted to this customer context.
-
defaultAccountId
String defaultAccountId
The default account for the customer. If set, the customer will automatically have this account selected on login. -
email
String email
The user's email address. -
expired
boolean expired
A flag indicating whether the admin user account is expired. If false, they will not be able to log in.This flag can be used to declare an account as expired and unusable, but currently there is no logic for that. It will always be
false
. -
externalId
String externalId
Intended to hold any unique identifier for this user as known by an external (non-BLC) system. For example, many implementations may integrate or import/export data from other systems that manage their own unique identifiers. -
firstName
String firstName
The first name of the user, if the fullName is not being used for the user. -
fullName
String fullName
The full name of the user, if the component parts firstName, middleName, and lastName are not being used to comprise the full name. -
id
String id
-
impersonationAllowed
boolean impersonationAllowed
A flag indicated whether or not this user is allowed to be impersonated. -
lastName
String lastName
The last name of the user, if the fullName is not being used for the user. -
lastUpdated
Instant lastUpdated
Indicates when this record was last updated. -
locked
boolean locked
A flag indicating whether the admin user account is locked. If false, they will not be able to log in and aLockedException
will be thrown on a login attempt.This flag is used to limit invalid login attempt.
-
lockedTime
Instant lockedTime
If this user is locked out, the time that the user was locked. -
middleName
String middleName
The middle name of the user, if the fullName is not being used for the user. -
passwordLastUpdated
Instant passwordLastUpdated
The time the password was last updated. Used to enforce rules around how long a password may remain unchanged before forcing the user to make a new one. -
permissions
Set<UserPermissionRef> permissions
The permissions that this user is directly assigned (in addition to permissions granted throughUser.roles
). -
restrictedPermissions
Set<RestrictedPermission> restrictedPermissions
The permissions that this user is directly assigned that are restricted to only apply when accessing certain segments of data. -
restrictedRoles
Set<RestrictedRole> restrictedRoles
The roles that this user is directly assigned that are restricted to only apply when accessing certain segments of data. -
restrictions
Set<Restriction> restrictions
The data restrictions that control the data this user is permitted to access. -
roles
Set<UserRoleRef> roles
The roles that this user is assigned. The user is granted all permissions that each of these roles are directly assigned or inherit from their ancestors. -
serverId
String serverId
The ID of the authorization server that this user is a member of. -
serviceId
String serviceId
If this user was synchronized from a BLC service (ex: the admin user service or the customer service), this field will be the ID value used by that service for this user.If this value is set, there should also be a value set for
User.type
.There is a requirement that only if both values are non-null, a combination of this field and
User.type
will be unique across all records. There is no uniqueness guarantee for records which have a null service ID or nullUser.type
.- See Also:
-
User.type
-
tenantAccess
boolean tenantAccess
Indicates whether this user has access at the tenant level or not.This field only applies to
UserType.ADMIN
users. -
tenantId
String tenantId
The id of the tenant this user is associated with. -
type
String type
Represents the type of user this is. This value must be supplied ifUser.serviceId
is set.- See Also:
-
UserType
User.serviceId
-
username
String username
What this user uses to actually log in. May be the same asUser.email
, but that is not required.The username is case insensitive, so it will always be stored lowercase.
-
-
Class com.broadleafcommerce.auth.resource.domain.UserHistoricalPassword
class UserHistoricalPassword extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
dateCreated
Instant dateCreated
The date when the password was created.
-
-
-
Package com.broadleafcommerce.auth.resource.web.endpoint.exception
-
Exception com.broadleafcommerce.auth.resource.web.endpoint.exception.InvalidApplicationContextException
class InvalidApplicationContextException extends Exception implements Serializable -
Exception com.broadleafcommerce.auth.resource.web.endpoint.exception.InvalidApplicationIdException
class InvalidApplicationIdException extends Exception implements Serializable
-
-
Package com.broadleafcommerce.auth.security.domain
-
Class com.broadleafcommerce.auth.security.domain.JpaAccountRoleXref
class JpaAccountRoleXref extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
accountId
String accountId
-
active
boolean active
-
id
String id
-
role
JpaUserRole role
-
user
JpaUser user
-
-
Class com.broadleafcommerce.auth.security.domain.JpaUserPermission
class JpaUserPermission extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
accountPermission
boolean accountPermission
-
archived
boolean archived
- See Also:
-
UserPermission.archived
-
id
String id
-
lastUpdated
Instant lastUpdated
We don't useLastModifiedDate
here because we want to enable manually setting this value (ex: for setting the lastUpdated to a value received in a persistence message).- See Also:
-
UserPermission.lastUpdated
-
name
String name
-
userAssignable
boolean userAssignable
-
-
Class com.broadleafcommerce.auth.security.domain.JpaUserRestrictedPermission
class JpaUserRestrictedPermission extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.security.domain.JpaUserRestrictedRole
class JpaUserRestrictedRole extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.security.domain.JpaUserRestriction
class JpaUserRestriction extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.security.domain.JpaUserRole
class JpaUserRole extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
accountRole
boolean accountRole
-
archived
boolean archived
- See Also:
-
UserRole.archived
-
description
String description
-
friendlyName
String friendlyName
-
id
String id
-
lastUpdated
Instant lastUpdated
We don't useLastModifiedDate
here because we want to enable manually setting this value (ex: for setting the lastUpdated to a value received in a persistence message).- See Also:
-
UserRole.lastUpdated
-
name
String name
-
parentRoleId
String parentRoleId
A soft reference to the parent of this role.- See Also:
-
UserRole.parentRoleId
-
permissions
Set<JpaUserPermission> permissions
-
-
Class com.broadleafcommerce.auth.security.domain.PermissionScope
class PermissionScope extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
id
String id
-
permission
String permission
The permission or base root of a permission which can expand to a CRUD operation.Note that if a permission name starts with a
PermissionType
prefix, it must be declared as a permission root by settingPermissionScope.permissionRoot
totrue
.- See Also:
-
PermissionType
PermissionScope.permissionRoot
-
permissionRoot
boolean permissionRoot
Is this the root of a permission? If this isfalse
this is a direct mapping between a permission and a scope. In other words, the usual CREATE_, READ_, UPDATE_, DELETE_, ALL_ prefixes do not apply to this scope/permission relationship. -
scope
SecurityScope scope
-
-
Class com.broadleafcommerce.auth.security.domain.SecurityScope
class SecurityScope extends Object implements Serializable- serialVersionUID:
- 1L
-
-
Package com.broadleafcommerce.auth.security.service.exception
-
Exception com.broadleafcommerce.auth.security.service.exception.InvalidUserRoleDeleteException
class InvalidUserRoleDeleteException extends RuntimeException implements Serializable
-
-
Package com.broadleafcommerce.auth.server.domain
-
Class com.broadleafcommerce.auth.server.domain.AuthorizedClient
class AuthorizedClient extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
applicationId
String applicationId
Populated if this authorized client is used for authorizing customer users in a certain application. This is generally used in discovering the authorized client or authorization server for customer users. -
attributes
Map<String,
Object> attributes Additional attributes for this client, not needed by the vanilla OAuth protocol but might be useful, for example, for storing descriptive information. -
authCodeTimeoutSeconds
Integer authCodeTimeoutSeconds
The period of time, in seconds, that an auth code issued will be valid for. -
authoritativeResourceIds
boolean authoritativeResourceIds
Whentrue
,AuthorizedClient.getResourceIds()
are considered authoritative. In other words, the tokens issued for this client will only contain audience values fromAuthorizedClient.getResourceIds()
and no other values. This can be useful in scenarios where a client needs to have highly specific resource restrictions.When
false
,AuthorizedClient.getResourceIds()
are considered additive on top of defaults inherited from other places such asAuthorizationServerProperties.OAuth2.getAdditionalAudiences()
. In other words, the tokens issued for this client will contain audience values from bothAuthorizedClient.getResourceIds()
and any other inherited value.- See Also:
-
clientAuthenticationMethods
Set<String> clientAuthenticationMethods
The authentication method(s) that the client may use. This should just beClientAuthenticationMethod.getValue()
. UseClientAuthenticationMethod.NONE
for public clients.This particularly affects how a client would provide its credentials to the '/token' endpoint.
- See Also:
-
RegisteredClient.getClientAuthenticationMethods()
-
clientId
String clientId
The OAuth2 client ID for this authorized client. Usually generated as a randomized string. -
clientIdIssuedAt
Instant clientIdIssuedAt
Indicates the time at which theAuthorizedClient.getClientId()
was issued. This is a completely optional field, and is not set by Broadleaf by default.- See Also:
-
RegisteredClient.getClientIdIssuedAt()
-
clientSecret
String clientSecret
The encrypted OAuth2 client secret for this authorized client. Not serialized as part of the response object. -
clientSecretExpiresAt
Instant clientSecretExpiresAt
Indicates the time at whichAuthorizedClient.getClientSecret()
expires. If not set, the client secret does not expire. Broadleaf does not set this value by default.- See Also:
-
RegisteredClient.getClientSecretExpiresAt()
-
defaultRedirectUri
String defaultRedirectUri
The default redirect URI to use if a user accesses an authentication operation without a valid requested redirect location.In many cases, this is effectively the default value to use if a match is not found in
AuthorizedClient.getPostAuthenticationSuccessRedirectUris()
or if no value was explicitly requested.This is distinct from
AuthorizedClient.getRedirectUris()
and is not intended for use with OAuth-specific validations. -
friendlyName
String friendlyName
The friendly name of this authorized client. Intended for display purposes -
grantTypes
Set<String> grantTypes
The grant types for which this client is authorized. -
id
String id
The primary key of this authorized client. -
isAdmin
boolean isAdmin
Whether or not this authorized client is used for authorizing admin users. This is generally used in discovering the authorized client or authorization server for admin users. -
permissions
Set<String> permissions
Returns the Broadleaf permissions that are assigned as authorities to this client in an OAuth2 flow. These apply to client-only flows (ex:AuthorizationGrantType.CLIENT_CREDENTIALS
). These do not apply to user flows. -
postAuthenticationSuccessRedirectUris
Set<String> postAuthenticationSuccessRedirectUris
A whitelist of redirect URIs that the caller can request redirect to after successful authentication related operations. This can contain relative and absolute values.If none are configured or none match the request,
AuthorizedClient.getDefaultRedirectUri()
should be used.Critically, this is distinct from
AuthorizedClient.getRedirectUris()
and is not intended for use in OAuth validation. -
postLogoutRedirectUris
Set<String> postLogoutRedirectUris
The post logout redirect URI(s) that the client may use for logout.This is only applicable when using the OpenID Connect RP-Initiated Logout 1.0 flow.
- See Also:
-
RegisteredClient.getPostLogoutRedirectUris()
OidcLogoutAuthenticationProvider
-
proofKeyRequired
Boolean proofKeyRequired
Whether the client is explicitly opted-in to PKCE for auth code flows. The default is true if this value is unset. -
redirectUris
Set<String> redirectUris
The pre-defined redirect URIs for this client to use during the "authorization_code" access grant. See OAuth spec, section 4.1.1.Any of these values may be relative, and if so, the
AuthorizedClientService
will use theTenantUrlResolver
to determine the base URL to resolve them against such that ultimately they are absolute. If resolution to an absolute URL fails for whatever reason, the relative URL will be omitted from the finalRegisteredClient.getRedirectUris()
.These are exclusively intended to be for OAuth redirect validation, and not for validation of arbitrary redirects from various authentication operations such as login. See
AuthorizedClient.getPostAuthenticationSuccessRedirectUris()
for more information. -
refreshTokenTimeoutSeconds
Integer refreshTokenTimeoutSeconds
The period of time, in seconds, that an refresh token issued will be valid for. A refresh token used within this timeframe will become invalid because of rotation. It should be generally considered that a refresh token can be used once. -
relaxRedirectUrisValidation
boolean relaxRedirectUrisValidation
Iftrue
,AuthorizedClient.getRedirectUris()
will be dynamically modified/expanded at runtime (persisted state does not change) to effectively relax certain validations. Iffalse
,AuthorizedClient.getRedirectUris()
will be used as-is, resulting in strict comparison semantics.In most cases, setting this value to
true
is reasonable and can avoid requests being rejected for frivolous reasons such as trailing slash mismatches. However, in scenarios whereAuthorizedClient.getRedirectUris()
must be interpreted verbatim as defined, setting tofalse
can ensure exact match semantics apply and any variations are not allowed. -
requireAuthorizationConsent
boolean requireAuthorizationConsent
Set totrue
if authorization consent is required when the client requests access. This applies to all interactive flows (ex: authorization_code).This should typically be set to
false
for 'first-party' clients (such as the Broadleaf admin application) - this ensures the user is not shown a consent form whenever scopes are requested.NOTE - at this time, Broadleaf does not have OOB support for consent flows, so only set to
true
if there is a valid available implementation ofOAuth2AuthorizationConsentService
that can persist/load/validateOAuth2AuthorizationConsent
.- See Also:
-
ClientSettings.isRequireAuthorizationConsent()
-
resetPasswordBaseUri
String resetPasswordBaseUri
The base URI for the reset password form. This is used when generating a reset password link so the user is directed to the right domain hosting the form. If blank,AuthorizedClient.defaultRedirectUri
will be used.This can be different from
AuthorizedClient.defaultRedirectUri
in cases where the frontend app is on a different domain than Auth and SSO is still being used, i.e., the reset password form is onhttps://www.my-auth-server.com
and the frontend ishttps://www.my-store.com
. In such a case, thedefaultRedirectUri
would behttps://www.my-store.com
butresetPasswordBaseUri
would behttps://www.my-auth-server.com
. -
resourceIds
Set<String> resourceIds
These are values contributed to theAccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM
set on access tokens issued for this client. -
scopes
Set<String> scopes
The scopes for this client. Empty if the client isn't scoped.The scopes represent the "upper-bound" of what scopes a client is allowed to request. They will also be used as default scopes if no scopes are requested.
When this client is expected to be the final principal (ex: client credentials flow), these values represent all scopes that can be requested. Typically, the client credentials token request does not include any scopes, and all these scopes are granted.
For flows where a user is the final principal (ex: authorization code flow), these values represent the upper-bound of what can be granted. Token requests typically include a scope that must be declared in this field.
- See Also:
-
serverId
String serverId
The ID of the authorization server this authorized client is part of. -
tokenTimeoutSeconds
Integer tokenTimeoutSeconds
The period of time, in seconds, that an access token issued will be valid for. -
useRedirectUriToGenerateConsumeTokenUrl
boolean useRedirectUriToGenerateConsumeTokenUrl
Controls whether auth uses theImpersonationRequest.getRedirect_uri()
when building the consume-token redirect URL after a successful impersonation request. The consume token endpoint will add a session cookie identifying the user as a CSR so they do not need to log in on the storefront. The alternative is to build a relative URL to redirect to the same domain as the impersonation endpoint.This is
true
by default.The reason to redirect to the consume-token endpoint using the
ImpersonationRequest.getRedirect_uri()
is to ensure the cookie is set on the same domain as the storefront in cases where the admin and storefront are on separate domains but both can access Auth on their own domains. That is possible when using the standard deployment configuration where all apps and services are deployed behind the Admin and Commerce Gateways.Suppose that admin and storefront apps are on different domains:
admin.mycompany.com
andstore.mycompany.com
, in this case if the impersonate endpoint added the cookie, it would be onadmin.mycompany.com
and therefore not accessible onstore.mycompany.com
. To work around this limitation, the system can redirect tostore.mycompany.com/auth/consume-token
and then add the session token so that it is on the same domain as the storefront.However, if Auth is accessed through a different domain than the storefront app (e.g.,
auth.mycompany.com
), then this redirect will not be useful. Such a case typically occurs when also using refresh-token-rotation.
-
-
-
Package com.broadleafcommerce.auth.server.provider.jpa.domain
-
Class com.broadleafcommerce.auth.server.provider.jpa.domain.JpaAuthorizationServer
class JpaAuthorizationServer extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
attributes
Map<String,
Object> attributes -
crossOrigin
boolean crossOrigin
-
defaultRedirectUri
String defaultRedirectUri
-
defaultUserPermissions
Set<JpaUserPermission> defaultUserPermissions
-
defaultUserRoles
Set<JpaUserRole> defaultUserRoles
-
embeddedLoginEnabled
boolean embeddedLoginEnabled
-
failedLoginAttemptsAllowed
Integer failedLoginAttemptsAllowed
-
friendlyName
String friendlyName
-
id
String id
-
inactivityTimeoutSeconds
Integer inactivityTimeoutSeconds
-
lockedUserCanResetPassword
Boolean lockedUserCanResetPassword
-
lockoutDurationMinutes
Long lockoutDurationMinutes
-
loginFailDecayMinutes
Long loginFailDecayMinutes
-
name
String name
-
requireLoginTimeoutSeconds
Integer requireLoginTimeoutSeconds
-
resetPasswordUnlocksUser
Boolean resetPasswordUnlocksUser
-
ssoEnabled
boolean ssoEnabled
-
templatePath
String templatePath
-
tenantId
String tenantId
-
-
Class com.broadleafcommerce.auth.server.provider.jpa.domain.JpaAuthorizedClient
class JpaAuthorizedClient extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
applicationId
String applicationId
-
attributes
Map<String,
Object> attributes -
authCodeTimeoutSeconds
Integer authCodeTimeoutSeconds
-
authoritativeResourceIds
boolean authoritativeResourceIds
-
clientAuthenticationMethods
Set<String> clientAuthenticationMethods
-
clientId
String clientId
-
clientIdIssuedAt
Instant clientIdIssuedAt
- See Also:
-
clientSecret
String clientSecret
-
clientSecretExpiresAt
Instant clientSecretExpiresAt
-
defaultRedirectUri
String defaultRedirectUri
-
friendlyName
String friendlyName
-
grantTypes
Set<String> grantTypes
-
id
String id
-
isAdmin
boolean isAdmin
-
permissions
Set<String> permissions
-
postAuthenticationSuccessRedirectUris
Set<String> postAuthenticationSuccessRedirectUris
-
postLogoutRedirectUris
Set<String> postLogoutRedirectUris
-
redirectUris
Set<String> redirectUris
-
refreshTokenTimeoutSeconds
Integer refreshTokenTimeoutSeconds
-
relaxRedirectUrisValidation
boolean relaxRedirectUrisValidation
-
requireAuthorizationConsent
boolean requireAuthorizationConsent
-
requireProofKey
Boolean requireProofKey
-
resetPasswordBaseUri
String resetPasswordBaseUri
-
resourceIds
Set<String> resourceIds
-
scopes
Set<String> scopes
-
serverId
String serverId
-
tokenTimeoutSeconds
int tokenTimeoutSeconds
-
useRedirectUriToGenerateConsumeTokenUrl
boolean useRedirectUriToGenerateConsumeTokenUrl
-
-
-
Package com.broadleafcommerce.auth.server.web.endpoint
-
Class com.broadleafcommerce.auth.server.web.endpoint.ClientDiscoveryEndpoint.ClientDiscoveryResponse
class ClientDiscoveryResponse extends Object implements Serializable- serialVersionUID:
- 1L
-
-
Package com.broadleafcommerce.auth.tenant.provider.jpa.domain
-
Class com.broadleafcommerce.auth.tenant.provider.jpa.domain.JpaApplication
class JpaApplication extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
customerContextId
String customerContextId
- See Also:
-
deactivated
boolean deactivated
- See Also:
-
id
String id
- See Also:
-
identifierType
String identifierType
- See Also:
-
identifierValue
String identifierValue
- See Also:
-
isMarketplace
boolean isMarketplace
- See Also:
-
lastUpdated
Instant lastUpdated
We don't useLastModifiedDate
here because we want to enable manually setting this value (ex: for setting the lastUpdated to a value received in a persistence message).- See Also:
-
Application.lastUpdated
-
tenantId
String tenantId
-
-
-
Package com.broadleafcommerce.auth.user.api.dto
-
Class com.broadleafcommerce.auth.user.api.dto.ChangePasswordForm
class ChangePasswordForm extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.api.dto.ResetPasswordForm
class ResetPasswordForm extends Object implements Serializable- serialVersionUID:
- 1L
-
-
Package com.broadleafcommerce.auth.user.autoconfigure.support.keys
-
Class com.broadleafcommerce.auth.user.autoconfigure.support.keys.DynamicPropertyPrivateKey
class DynamicPropertyPrivateKey extends AbstractDynamicPropertyKey<RSAPrivateKey> implements Serializable-
Serialized Fields
-
authorizationServerProperties
AuthorizationServerProperties authorizationServerProperties
-
-
-
Class com.broadleafcommerce.auth.user.autoconfigure.support.keys.DynamicPropertyPublicKey
class DynamicPropertyPublicKey extends AbstractDynamicPropertyKey<RSAPublicKey> implements Serializable-
Serialized Fields
-
authorizationServerProperties
AuthorizationServerProperties authorizationServerProperties
-
-
-
-
Package com.broadleafcommerce.auth.user.domain
-
Class com.broadleafcommerce.auth.user.domain.AuthenticationEvent
class AuthenticationEvent extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
attributes
Map<String,
Object> attributes Any additional attributes that a service receiving the request may need -
contextInfo
com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo
TheContextInfo
derived from the original request containing tenant and sandbox info. -
messageType
String messageType
The message type for this event.- See Also:
-
user
User user
The user that made the request
-
-
Class com.broadleafcommerce.auth.user.domain.DefaultOAuth2UserDetails
class DefaultOAuth2UserDetails extends org.springframework.security.core.userdetails.User implements Serializable- serialVersionUID:
- 1L
-
-
Package com.broadleafcommerce.auth.user.endpoint
-
Class com.broadleafcommerce.auth.user.endpoint.ImpersonationRequest
class ImpersonationRequest extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
client_id
String client_id
Id of theAuthorizedClient
initiating this request. -
impersonate_self
Boolean impersonate_self
Indicates that CSR is not impersonating as a customer but is operating as themselves. This is typically used for things like quote management. -
impersonated_client_id
String impersonated_client_id
The id of theAuthorizedClient
that the user-to-be-impersonated belongs to. -
impersonated_sub
String impersonated_sub
The username of the user to impersonate if any. -
redirect_uri
String redirect_uri
Uri to redirect to upon successful request.
-
-
-
Package com.broadleafcommerce.auth.user.exception
-
Exception com.broadleafcommerce.auth.user.exception.UserNotActiveException
class UserNotActiveException extends RuntimeException implements Serializable
-
-
Package com.broadleafcommerce.auth.user.listener.domain
-
Class com.broadleafcommerce.auth.user.listener.domain.AdminPermission
class AdminPermission extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.listener.domain.AdminPermissionRef
class AdminPermissionRef extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.listener.domain.AdminRestrictedPermission
class AdminRestrictedPermission extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.listener.domain.AdminRestrictedRole
class AdminRestrictedRole extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.listener.domain.AdminRestriction
class AdminRestriction extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.listener.domain.AdminRole
class AdminRole extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.listener.domain.AdminRoleRef
class AdminRoleRef extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.listener.domain.AdminUser
class AdminUser extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
active
boolean active
-
applicationAccess
boolean applicationAccess
-
applicationIds
Set<String> applicationIds
-
businessDomainType
String businessDomainType
-
changePasswordRequired
boolean changePasswordRequired
-
email
String email
-
expired
boolean expired
-
id
String id
-
locked
boolean locked
-
name
String name
-
permissionIds
Set<String> permissionIds
-
permissions
Set<AdminPermissionRef> permissions
Deprecated. -
restrictedPermissions
Set<AdminRestrictedPermission> restrictedPermissions
The permissions that this user is directly assigned that are restricted to only apply when accessing certain segments of data. -
restrictedRoles
Set<AdminRestrictedRole> restrictedRoles
The roles that this user is directly assigned that are restricted to only apply when accessing certain segments of data. -
restrictions
Set<AdminRestriction> restrictions
The data restrictions that control the data this user is permitted to access. -
roleIds
Set<String> roleIds
-
roles
Set<AdminRoleRef> roles
Deprecated. -
tenantAccess
boolean tenantAccess
-
tenantId
String tenantId
-
username
String username
-
-
-
Package com.broadleafcommerce.auth.user.messaging
-
Class com.broadleafcommerce.auth.user.messaging.CartApprovalRequestEvent
class CartApprovalRequestEvent extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
accountId
String accountId
ID of the account the submitter belongs to. -
approvers
List<CartApprovalRequestEvent.ApproverRef> approvers
-
attributes
Map<String,
Object> attributes Map holding any additional attributes passed in the request not matching any defined properties. -
contextInfo
com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo
TheContextInfo
containing tenant and sandbox info.
-
-
Class com.broadleafcommerce.auth.user.messaging.CartApprovalRequestEvent.ApproverRef
class ApproverRef extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.messaging.UserCreationEvent
class UserCreationEvent extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
attributes
Map<String,
Object> attributes Additional custom information that was provided as part of the user registration process.Client implementations may choose to populate and utilize this field for custom behavior.
- See Also:
-
UserRegistration.attributes
-
preview
boolean preview
Indicates whether the user was created from a preview context. -
user
User user
-
-
-
Package com.broadleafcommerce.auth.user.provider.jpa.domain
-
Class com.broadleafcommerce.auth.user.provider.jpa.domain.JpaCustomerAccount
class JpaCustomerAccount extends Object implements Serializable -
Class com.broadleafcommerce.auth.user.provider.jpa.domain.JpaPasswordToken
class JpaPasswordToken extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.provider.jpa.domain.JpaUser
class JpaUser extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
accountRoles
List<JpaAccountRoleXref> accountRoles
- See Also:
-
active
boolean active
- See Also:
-
applicationAccess
boolean applicationAccess
- See Also:
-
applicationIds
Set<String> applicationIds
- See Also:
-
archived
boolean archived
- See Also:
-
attributes
Map<String,
Object> attributes - See Also:
-
changePasswordRequired
boolean changePasswordRequired
- See Also:
-
customerContextId
String customerContextId
- See Also:
-
defaultAccountId
String defaultAccountId
-
email
String email
- See Also:
-
expired
boolean expired
- See Also:
-
externalId
String externalId
- See Also:
-
firstName
String firstName
- See Also:
-
fullName
String fullName
- See Also:
-
id
String id
-
impersonationAllowed
boolean impersonationAllowed
- See Also:
-
lastName
String lastName
- See Also:
-
lastUpdated
Instant lastUpdated
We don't useLastModifiedDate
here because we want to enable manually setting this value (ex: for setting the lastUpdated to a value received in a persistence message).- See Also:
-
locked
boolean locked
- See Also:
-
lockedTime
Instant lockedTime
- See Also:
-
middleName
String middleName
- See Also:
-
password
String password
- See Also:
-
passwordHistory
List<JpaUserHistoricalPassword> passwordHistory
- See Also:
-
passwordLastUpdated
Instant passwordLastUpdated
- See Also:
-
permissions
Set<JpaUserPermission> permissions
- See Also:
-
restrictedPermissions
Set<JpaUserRestrictedPermission> restrictedPermissions
- See Also:
-
restrictedRoles
Set<JpaUserRestrictedRole> restrictedRoles
- See Also:
-
restrictions
Set<JpaUserRestriction> restrictions
- See Also:
-
roles
Set<JpaUserRole> roles
- See Also:
-
serverId
String serverId
- See Also:
-
serviceId
String serviceId
- See Also:
-
tenantAccess
boolean tenantAccess
- See Also:
-
tenantId
String tenantId
- See Also:
-
type
String type
- See Also:
-
username
String username
- See Also:
-
-
Class com.broadleafcommerce.auth.user.provider.jpa.domain.JpaUserHistoricalPassword
class JpaUserHistoricalPassword extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
dateCreated
Instant dateCreated
The date when the password was created.
-
-
Class com.broadleafcommerce.auth.user.provider.jpa.domain.JpaUserLoginAttempt
class JpaUserLoginAttempt extends Object implements Serializable
-
-
Package com.broadleafcommerce.auth.user.service.password
-
Exception com.broadleafcommerce.auth.user.service.password.AccountLockedException
class AccountLockedException extends Exception implements Serializable -
Exception com.broadleafcommerce.auth.user.service.password.ResetPasswordException
class ResetPasswordException extends RuntimeException implements Serializable
-
-
Package com.broadleafcommerce.auth.user.session
-
Class com.broadleafcommerce.auth.user.session.BasicSavedRequest
class BasicSavedRequest extends Object implements Serializable-
Serialized Fields
-
redirectUrl
String redirectUrl
-
-
-
Class com.broadleafcommerce.auth.user.session.DefaultOAuth2SessionToken
class DefaultOAuth2SessionToken extends Object implements Serializable- serialVersionUID:
- 1L
-
Class com.broadleafcommerce.auth.user.session.FormLoginAuthenticationToken
class FormLoginAuthenticationToken extends org.springframework.security.authentication.UsernamePasswordAuthenticationToken implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
clientId
String clientId
-
-
Class com.broadleafcommerce.auth.user.session.OAuth2SessionAuthenticationToken
class OAuth2SessionAuthenticationToken extends org.springframework.security.authentication.AbstractAuthenticationToken implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
clientId
String clientId
The OAuth2 client ID. -
principal
Object principal
The OAuth2 principal. -
token
OAuth2SessionToken token
The JWT token from the BLSID-[client_id] session cookie.
-
-
-
Package com.broadleafcommerce.auth.user.web.endpoint
-
Class com.broadleafcommerce.auth.user.web.endpoint.EmbeddedAuthenticationController.PasswordResetEmailRequest
class PasswordResetEmailRequest extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
username
String username
Username of the user trying to reset their password.
-
-
-
Package com.broadleafcommerce.auth.user.web.endpoint.exception
-
Exception com.broadleafcommerce.auth.user.web.endpoint.exception.ClientValidationException
class ClientValidationException extends RuntimeException implements Serializable
-
-
Package com.broadleafcommerce.auth.user.web.endpoint.model
-
Class com.broadleafcommerce.auth.user.web.endpoint.model.OAuth2IdentityProvider
class OAuth2IdentityProvider extends Object implements Serializable- serialVersionUID:
- 1L
-
Serialized Fields
-
icon
String icon
The path to a static resource that represents an icon to display on the action component for this IDP. -
id
String id
The registration ID of the of the IDP. -
name
String name
The name of the IDP. This will be displayed to the user. -
url
String url
The action URL to take the user to the authentication page for this IDP.
-
-