Class OpaqueTokenAuthenticationProvider
- All Implemented Interfaces:
AuthenticationProvider
AuthenticationProvider
implementation for opaque
Bearer
Tokens, using an
OAuth 2.0 Introspection
Endpoint to check the token's validity and reveal its attributes.
This AuthenticationProvider
is responsible for introspecting and verifying an
opaque access token, returning its attributes set as part of the Authentication
statement.
Scopes are translated into GrantedAuthority
s according to the following
algorithm:
- If there is a "scope" attribute, then convert to a
Collection
ofString
s. - Take the resulting
Collection
and prepend the "SCOPE_" keyword to each element, adding asGrantedAuthority
s.
An OpaqueTokenIntrospector
is responsible for retrieving token attributes from
an authorization server.
An OpaqueTokenAuthenticationConverter
is responsible for turning a successful
introspection result into an Authentication
instance (which may include mapping
GrantedAuthority
s from token attributes or retrieving from another source).
- Since:
- 5.2
- See Also:
-
Constructor Summary
ConstructorDescriptionOpaqueTokenAuthenticationProvider
(OpaqueTokenIntrospector introspector) Creates aOpaqueTokenAuthenticationProvider
with the provided parameters -
Method Summary
Modifier and TypeMethodDescriptionauthenticate
(Authentication authentication) Introspect and validate the opaque Bearer Token and then delegatesAuthentication
instantiation toOpaqueTokenAuthenticationConverter
.void
setAuthenticationConverter
(OpaqueTokenAuthenticationConverter authenticationConverter) Provide with a custom bean to turn successful introspection result into anAuthentication
instance of your choice.boolean
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.
-
Constructor Details
-
OpaqueTokenAuthenticationProvider
Creates aOpaqueTokenAuthenticationProvider
with the provided parameters- Parameters:
introspector
- TheOpaqueTokenIntrospector
to use
-
-
Method Details
-
authenticate
Introspect and validate the opaque Bearer Token and then delegatesAuthentication
instantiation toOpaqueTokenAuthenticationConverter
.If created Authentication is instance of
AbstractAuthenticationToken
and details are null, then introspection result details are used.- Specified by:
authenticate
in interfaceAuthenticationProvider
- Parameters:
authentication
- the authentication request object.- Returns:
- A successful authentication
- Throws:
AuthenticationException
- if authentication failed for some reason
-
supports
Description copied from interface:AuthenticationProvider
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.Returning
true
does not guarantee anAuthenticationProvider
will be able to authenticate the presentedAuthentication
object. It simply indicates it can support closer evaluation of it. AnAuthenticationProvider
can still returnnull
from theAuthenticationProvider.authenticate(Authentication)
method to indicate anotherAuthenticationProvider
should be tried.Selection of an
AuthenticationProvider
capable of performing authentication is conducted at runtime theProviderManager
.- Specified by:
supports
in interfaceAuthenticationProvider
- Returns:
true
if the implementation can more closely evaluate theAuthentication
class presented
-
setAuthenticationConverter
Provide with a custom bean to turn successful introspection result into anAuthentication
instance of your choice. By default,BearerTokenAuthentication
will be built.- Parameters:
authenticationConverter
- the converter to use- Since:
- 5.8
-