public class AuthorizationCodeAuthenticationProvider extends java.lang.Object implements AuthenticationProvider
AuthenticationProvider
that is responsible for authenticating
an authorization code credential with the authorization server's Token Endpoint
and if valid, exchanging it for an access token credential and optionally an
id token credential (for OpenID Connect Authorization Code Flow).
Additionally, it will also obtain the end-user's (resource owner) attributes from the UserInfo Endpoint
(using the access token) and create a Principal
in the form of an OAuth2User
associating it with the returned OAuth2AuthenticationToken
.
The AuthorizationCodeAuthenticationProvider
uses an AuthorizationGrantTokenExchanger
to make a request to the authorization server's Token Endpoint
to verify the AuthorizationCodeAuthenticationToken.getAuthorizationCode()
.
If the request is valid, the authorization server will respond back with a TokenResponseAttributes
.
It will then create an OAuth2AuthenticationToken
associating the AccessToken
and optionally
the IdToken
from the TokenResponseAttributes
and pass it to
OAuth2UserService.loadUser(OAuth2AuthenticationToken)
to obtain the end-user's (resource owner) attributes
in the form of an OAuth2User
.
Finally, it will create another OAuth2AuthenticationToken
, this time associating
the AccessToken
, IdToken
and OAuth2User
and return it to the AuthenticationManager
,
at which point the OAuth2AuthenticationToken
is considered "authenticated".
AuthorizationCodeAuthenticationToken
,
AuthorizationGrantTokenExchanger
,
TokenResponseAttributes
,
AccessToken
,
IdToken
,
OAuth2UserService
,
OAuth2User
,
Section 4.1 Authorization Code Grant Flow,
Section 3.1 OpenID Connect Authorization Code Flow,
Section 4.1.3 Access Token Request,
Section 4.1.4 Access Token Response,
Section 3.1.3.3 OpenID Connect Token ResponseConstructor and Description |
---|
AuthorizationCodeAuthenticationProvider(AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger,
ProviderJwtDecoderRegistry providerJwtDecoderRegistry,
OAuth2UserService userInfoService) |
Modifier and Type | Method and Description |
---|---|
Authentication |
authenticate(Authentication authentication)
Performs authentication with the same contract as
AuthenticationManager.authenticate(Authentication)
. |
void |
setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) |
boolean |
supports(java.lang.Class<?> authentication)
Returns
true if this AuthenticationProvider supports the
indicated Authentication object. |
public AuthorizationCodeAuthenticationProvider(AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger, ProviderJwtDecoderRegistry providerJwtDecoderRegistry, OAuth2UserService userInfoService)
public Authentication authenticate(Authentication authentication) throws AuthenticationException
AuthenticationProvider
AuthenticationManager.authenticate(Authentication)
.authenticate
in interface AuthenticationProvider
authentication
- the authentication request object.null
if the AuthenticationProvider
is unable to support
authentication of the passed Authentication
object. In such a case,
the next AuthenticationProvider
that supports the presented
Authentication
class will be tried.AuthenticationException
- if authentication fails.public final void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)
public boolean supports(java.lang.Class<?> authentication)
AuthenticationProvider
true
if this AuthenticationProvider
supports the
indicated Authentication
object.
Returning true
does not guarantee an
AuthenticationProvider
will be able to authenticate the presented
instance of the Authentication
class. It simply indicates it can
support closer evaluation of it. An AuthenticationProvider
can still
return null
from the AuthenticationProvider.authenticate(Authentication)
method to
indicate another AuthenticationProvider
should be tried.
Selection of an AuthenticationProvider
capable of performing
authentication is conducted at runtime the ProviderManager
.
supports
in interface AuthenticationProvider
true
if the implementation can more closely evaluate the
Authentication
class presented