Package com.broadleafcommerce.auth.authorization

Class TokenProperties

java.lang.Object
com.broadleafcommerce.auth.authorization.TokenProperties
@ConfigurationProperties(prefix="broadleaf.auth.token") public class TokenProperties extends Object
Configuration properties for refresh token rotation and authorization persistence cleanup handling.

  • Field Details

    • AUTH_CODE_TIMEOUT_SECONDS_DEFAULT

      public static final int AUTH_CODE_TIMEOUT_SECONDS_DEFAULT
      See Also:

    • REFRESH_TOKEN_TIMEOUT_SECONDS_DEFAULT

      public static final int REFRESH_TOKEN_TIMEOUT_SECONDS_DEFAULT
      See Also:

    • REFRESH_TOKEN_ROTATION_INTERVAL_SECONDS_DEFAULT

      public static final int REFRESH_TOKEN_ROTATION_INTERVAL_SECONDS_DEFAULT
      See Also:

    • TOKEN_TIMEOUT_SECONDS_DEFAULT

      public static final int TOKEN_TIMEOUT_SECONDS_DEFAULT
      See Also:

    • AUTHORIZATION_CLEANUP_INTERVAL_SECONDS_MAX_DEFAULT

      public static final int AUTHORIZATION_CLEANUP_INTERVAL_SECONDS_MAX_DEFAULT
      See Also:

    • AUTHORIZATION_CLEANUP_BATCH_SIZE_DEFAULT

      public static final int AUTHORIZATION_CLEANUP_BATCH_SIZE_DEFAULT
      See Also:

    • AUTHORIZATION_CLEANUP_INTERVAL_SECONDS_MIN_DEFAULT

      public static final int AUTHORIZATION_CLEANUP_INTERVAL_SECONDS_MIN_DEFAULT
      See Also:

  • Constructor Details

    • TokenProperties

      public TokenProperties()

  • Method Details

    • getRefreshTokenRotationInterval

      public Duration getRefreshTokenRotationInterval()

      Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated. This allows for a small window where inadvertent issues (like poor mobile network quality) can be overcome with a refresh retry without failing. Once the interval is exceeded after an initial rotation, any attempt to refresh for a new auth token will fail. This value should be kept as small as possible to avoid opening a larger window for replay attack.

      The default interval is 60 seconds.

    • isSupportRefreshTokenRotation

      public boolean isSupportRefreshTokenRotation()

      Whether refresh token rotation is supported. If true, a refresh token is included with the access token when an access token is requested (note, the AuthorizedClient#getGrantTypes() must also include "refresh_token" for a refresh token to actually be emitted with the access token as a pair). When the access token expires, the refresh token may be used to request a new access token. The new access token will include a new refresh token (i.e. refresh token rotation) that may be used in the future. The rotated access token should not be used again and will quickly become invalid after TokenProperties#getRefreshTokenRotationInterval().

      The default value is false.

    • isSupportRefreshTokenCleanup

      @Deprecated public boolean isSupportRefreshTokenCleanup()
      Deprecated.
      This property is no longer used. AuthenticationServices is configured to clean up Authorizations by default. The cleanup interval is determined by maxTokenCleanupInterval and minTokenCleanupInterval.

      Whether the system should clean up expired authorizations from the system. This is highly recommended.

      The default value is true.

    • getNamespace

      public String getNamespace()
      Namespace to use when getting the view for the camel cluster. Default is "lock".

    • getMaxTokenCleanupInterval

      public Duration getMaxTokenCleanupInterval()
      The max amount of pause time between batch expired authorization cleanup attempts. Default is 10 seconds.

    • getMinTokenCleanupInterval

      public Duration getMinTokenCleanupInterval()
      The min amount of pause time between batch expired authorization cleanup attempts. Default is 3 seconds. This value always wins, and you can set this value equal to or greater than maxTokenCleanupInterval to achieve a constant, non-randomized value.

    • getCleanupBatchSize

      public int getCleanupBatchSize()
      The quantity of expired authorizations to delete at one time. Should be somewhat conservative to avoid overworking the database or causing the transaction log to spiral out of control. Default is 20000.

    • isExplodePermissions

      public boolean isExplodePermissions()
      If set to true, ALL_* permissions will be exploded into their CRUD equivalents in access tokens. For example, ALL_PRODUCT will be exploded into CREATE_PRODUCT, READ_PRODUCT, UPDATE_PRODUCT, and DELETE_PRODUCT. Default value is false.

    • setRefreshTokenRotationInterval

      public void setRefreshTokenRotationInterval(Duration refreshTokenRotationInterval)

      Amount of time that a rotated refresh token is still valid for refresh attempts after it is initially rotated. This allows for a small window where inadvertent issues (like poor mobile network quality) can be overcome with a refresh retry without failing. Once the interval is exceeded after an initial rotation, any attempt to refresh for a new auth token will fail. This value should be kept as small as possible to avoid opening a larger window for replay attack.

      The default interval is 60 seconds.

    • setSupportRefreshTokenRotation

      public void setSupportRefreshTokenRotation(boolean supportRefreshTokenRotation)

      Whether refresh token rotation is supported. If true, a refresh token is included with the access token when an access token is requested (note, the AuthorizedClient#getGrantTypes() must also include "refresh_token" for a refresh token to actually be emitted with the access token as a pair). When the access token expires, the refresh token may be used to request a new access token. The new access token will include a new refresh token (i.e. refresh token rotation) that may be used in the future. The rotated access token should not be used again and will quickly become invalid after TokenProperties#getRefreshTokenRotationInterval().

      The default value is false.

    • setSupportRefreshTokenCleanup

      @Deprecated public void setSupportRefreshTokenCleanup(boolean supportRefreshTokenCleanup)
      Deprecated.
      This property is no longer used. AuthenticationServices is configured to clean up Authorizations by default. The cleanup interval is determined by maxTokenCleanupInterval and minTokenCleanupInterval.

      Whether the system should clean up expired authorizations from the system. This is highly recommended.

      The default value is true.

    • setNamespace

      public void setNamespace(String namespace)
      Namespace to use when getting the view for the camel cluster. Default is "lock".

    • setMaxTokenCleanupInterval

      public void setMaxTokenCleanupInterval(Duration maxTokenCleanupInterval)
      The max amount of pause time between batch expired authorization cleanup attempts. Default is 10 seconds.

    • setMinTokenCleanupInterval

      public void setMinTokenCleanupInterval(Duration minTokenCleanupInterval)
      The min amount of pause time between batch expired authorization cleanup attempts. Default is 3 seconds. This value always wins, and you can set this value equal to or greater than maxTokenCleanupInterval to achieve a constant, non-randomized value.

    • setCleanupBatchSize

      public void setCleanupBatchSize(int cleanupBatchSize)
      The quantity of expired authorizations to delete at one time. Should be somewhat conservative to avoid overworking the database or causing the transaction log to spiral out of control. Default is 20000.

    • setExplodePermissions

      public void setExplodePermissions(boolean explodePermissions)
      If set to true, ALL_* permissions will be exploded into their CRUD equivalents in access tokens. For example, ALL_PRODUCT will be exploded into CREATE_PRODUCT, READ_PRODUCT, UPDATE_PRODUCT, and DELETE_PRODUCT. Default value is false.

    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object

    • canEqual

      protected boolean canEqual(Object other)

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object

    • toString

      public String toString()
      Overrides:
      toString in class Object