Class OpaqueTokenAuthenticationProvider

java.lang.Object
org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider
All Implemented Interfaces:
AuthenticationProvider
public final class OpaqueTokenAuthenticationProvider extends Object implements AuthenticationProvider
An AuthenticationProvider implementation for opaque Bearer Tokens, using an OAuth 2.0 Introspection Endpoint to check the token's validity and reveal its attributes.

This AuthenticationProvider is responsible for introspecting and verifying an opaque access token, returning its attributes set as part of the Authentication statement.

Scopes are translated into GrantedAuthoritys according to the following algorithm:

  1. If there is a "scope" attribute, then convert to a Collection of Strings.
  2. Take the resulting Collection and prepend the "SCOPE_" keyword to each element, adding as GrantedAuthoritys.

An OpaqueTokenIntrospector is responsible for retrieving token attributes from an authorization server.

An OpaqueTokenAuthenticationConverter is responsible for turning a successful introspection result into an Authentication instance (which may include mapping GrantedAuthoritys from token attributes or retrieving from another source).

Since:
5.2
See Also:

  • Constructor Details

    • OpaqueTokenAuthenticationProvider

      public OpaqueTokenAuthenticationProvider(OpaqueTokenIntrospector introspector)
      Creates a OpaqueTokenAuthenticationProvider with the provided parameters
      Parameters:
      introspector - The OpaqueTokenIntrospector to use

  • Method Details

    • authenticate

      public @Nullable Authentication authenticate(Authentication authentication) throws AuthenticationException
      Introspect and validate the opaque Bearer Token and then delegates Authentication instantiation to OpaqueTokenAuthenticationConverter.

      If created Authentication is instance of AbstractAuthenticationToken and details are null, then introspection result details are used.

      Specified by:
      authenticate in interface AuthenticationProvider
      Parameters:
      authentication - the authentication request object.
      Returns:
      A successful authentication
      Throws:
      AuthenticationException - if authentication failed for some reason

    • supports

      public boolean supports(Class<?> authentication)
      Description copied from interface: AuthenticationProvider
      Returns true if this AuthenticationProvider supports the indicated Authentication object.

      Returning true does not guarantee an AuthenticationProvider will be able to authenticate the presented Authentication object. It simply indicates it can support closer evaluation of it. An AuthenticationProvider can still return null from the AuthenticationProvider.authenticate(Authentication) method to indicate another AuthenticationProvider should be tried.

      Selection of an AuthenticationProvider capable of performing authentication is conducted at runtime by the ProviderManager.

      Specified by:
      supports in interface AuthenticationProvider
      Parameters:
      authentication -
      Returns:
      true if the implementation can more closely evaluate the Authentication class presented

    • setAuthenticationConverter

      public void setAuthenticationConverter(OpaqueTokenAuthenticationConverter authenticationConverter)
      Provide with a custom bean to turn successful introspection result into an Authentication instance of your choice. By default, BearerTokenAuthentication will be built.
      Parameters:
      authenticationConverter - the converter to use
      Since:
      5.8