public class AuthorizationCodeAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter
AbstractAuthenticationProcessingFilter
that handles
the processing of an OAuth 2.0 Authorization Response for the authorization code grant flow.
This Filter
processes the Authorization Response in the following step sequence:
OAuth2Parameter.CODE
and OAuth2Parameter.STATE
(if provided in the Authorization Request) parameters
to the OAuth2Parameter.REDIRECT_URI
(provided in the Authorization Request)
and redirect the end-user's user-agent back to this Filter
(the client).
Filter
will then create an AuthorizationCodeAuthenticationToken
with
the OAuth2Parameter.CODE
received in the previous step and pass it to
AuthorizationCodeAuthenticationProvider.authenticate(Authentication)
(indirectly via AuthenticationManager
).
The AuthorizationCodeAuthenticationProvider
will use an AuthorizationGrantTokenExchanger
to make a request
to the authorization server's Token Endpoint for exchanging the OAuth2Parameter.CODE
for an AccessToken
.
OAuth2Parameter.CODE
, and ensure that the OAuth2Parameter.REDIRECT_URI
received matches the URI
originally provided in the Authorization Request.
If the request is valid, the authorization server will respond back with a TokenResponseAttributes
.
AuthorizationCodeAuthenticationProvider
will then create a new OAuth2AuthenticationToken
associating the AccessToken
from the TokenResponseAttributes
and pass it to
OAuth2UserService.loadUser(OAuth2AuthenticationToken)
. The OAuth2UserService
will make a request
to the authorization server's UserInfo Endpoint (using the AccessToken
)
to obtain the end-user's (resource owner) attributes and return it in the form of an OAuth2User
.
AuthorizationCodeAuthenticationProvider
will create another new OAuth2AuthenticationToken
but this time associating the AccessToken
and OAuth2User
returned from the OAuth2UserService
.
Finally, the OAuth2AuthenticationToken
is returned to the AuthenticationManager
and then back to this Filter
at which point the session is considered "authenticated".
NOTE: Steps 4-5 are not part of the authorization code grant flow and instead are "authentication flow" steps that are required in order to authenticate the end-user with the system.
AbstractAuthenticationProcessingFilter
,
AuthorizationCodeAuthenticationToken
,
AuthorizationCodeAuthenticationProvider
,
AuthorizationGrantTokenExchanger
,
AuthorizationCodeAuthorizationResponseAttributes
,
AuthorizationRequestAttributes
,
AuthorizationRequestRepository
,
AuthorizationCodeRequestRedirectFilter
,
ClientRegistration
,
ClientRegistrationRepository
,
Section 4.1 Authorization Code Grant Flow,
Section 4.1.2 Authorization ResponseModifier and Type | Field and Description |
---|---|
static java.lang.String |
CLIENT_ALIAS_URI_VARIABLE_NAME |
static java.lang.String |
DEFAULT_AUTHORIZATION_RESPONSE_BASE_URI |
static java.lang.String |
DEFAULT_AUTHORIZATION_RESPONSE_URI |
authenticationDetailsSource, eventPublisher, messages
Constructor and Description |
---|
AuthorizationCodeAuthenticationProcessingFilter() |
Modifier and Type | Method and Description |
---|---|
Authentication |
attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Performs actual authentication.
|
protected AuthorizationRequestRepository |
getAuthorizationRequestRepository() |
RequestMatcher |
getAuthorizationResponseMatcher() |
protected ClientRegistrationRepository |
getClientRegistrationRepository() |
void |
setAuthorizationRequestRepository(AuthorizationRequestRepository authorizationRequestRepository) |
<T extends RequestMatcher & RequestVariablesExtractor> |
setAuthorizationResponseMatcher(T authorizationResponseMatcher) |
void |
setClientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) |
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, requiresAuthentication, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, successfulAuthentication, unsuccessfulAuthentication
public static final java.lang.String DEFAULT_AUTHORIZATION_RESPONSE_BASE_URI
public static final java.lang.String CLIENT_ALIAS_URI_VARIABLE_NAME
public static final java.lang.String DEFAULT_AUTHORIZATION_RESPONSE_URI
public AuthorizationCodeAuthenticationProcessingFilter()
public Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException, java.io.IOException, javax.servlet.ServletException
AbstractAuthenticationProcessingFilter
The implementation should do one of the following:
attemptAuthentication
in class AbstractAuthenticationProcessingFilter
request
- from which to extract parameters and perform the authenticationresponse
- the response, which may be needed if the implementation has to do a
redirect as part of a multi-stage authentication process (such as OpenID).AuthenticationException
- if authentication fails.java.io.IOException
javax.servlet.ServletException
public RequestMatcher getAuthorizationResponseMatcher()
public final <T extends RequestMatcher & RequestVariablesExtractor> void setAuthorizationResponseMatcher(T authorizationResponseMatcher)
protected ClientRegistrationRepository getClientRegistrationRepository()
public final void setClientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository)
protected AuthorizationRequestRepository getAuthorizationRequestRepository()
public final void setAuthorizationRequestRepository(AuthorizationRequestRepository authorizationRequestRepository)