Class OpaqueTokenAuthenticationProvider
- java.lang.Object
-
- org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider
-
- All Implemented Interfaces:
AuthenticationProvider
public final class OpaqueTokenAuthenticationProvider extends java.lang.Object implements AuthenticationProvider
AnAuthenticationProvider
implementation for opaque Bearer Tokens, using an OAuth 2.0 Introspection Endpoint to check the token's validity and reveal its attributes.This
AuthenticationProvider
is responsible for introspecting and verifying an opaque access token, returning its attributes set as part of theAuthentication
statement.Scopes are translated into
GrantedAuthority
s according to the following algorithm:- If there is a "scope" attribute, then convert to a
Collection
ofString
s. - Take the resulting
Collection
and prepend the "SCOPE_" keyword to each element, adding asGrantedAuthority
s.
An
OpaqueTokenIntrospector
is responsible for retrieving token attributes from an authorization server.An
OpaqueTokenAuthenticationConverter
is responsible for turning a successful introspection result into anAuthentication
instance (which may include mappingGrantedAuthority
s from token attributes or retrieving from another source).- Since:
- 5.2
- See Also:
AuthenticationProvider
-
-
Constructor Summary
Constructors Constructor Description OpaqueTokenAuthenticationProvider(OpaqueTokenIntrospector introspector)
Creates aOpaqueTokenAuthenticationProvider
with the provided parameters
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Authentication
authenticate(Authentication authentication)
Introspect and validate the opaque Bearer Token and then delegatesAuthentication
instantiation toOpaqueTokenAuthenticationConverter
.void
setAuthenticationConverter(OpaqueTokenAuthenticationConverter authenticationConverter)
Provide with a custom bean to turn successful introspection result into anAuthentication
instance of your choice.boolean
supports(java.lang.Class<?> authentication)
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.
-
-
-
Constructor Detail
-
OpaqueTokenAuthenticationProvider
public OpaqueTokenAuthenticationProvider(OpaqueTokenIntrospector introspector)
Creates aOpaqueTokenAuthenticationProvider
with the provided parameters- Parameters:
introspector
- TheOpaqueTokenIntrospector
to use
-
-
Method Detail
-
authenticate
public Authentication authenticate(Authentication authentication) throws AuthenticationException
Introspect and validate the opaque Bearer Token and then delegatesAuthentication
instantiation toOpaqueTokenAuthenticationConverter
.If created Authentication is instance of
AbstractAuthenticationToken
and details are null, then introspection result details are used.- Specified by:
authenticate
in interfaceAuthenticationProvider
- Parameters:
authentication
- the authentication request object.- Returns:
- A successful authentication
- Throws:
AuthenticationException
- if authentication failed for some reason
-
supports
public boolean supports(java.lang.Class<?> authentication)
Description copied from interface:AuthenticationProvider
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.Returning
true
does not guarantee anAuthenticationProvider
will be able to authenticate the presented instance of theAuthentication
class. It simply indicates it can support closer evaluation of it. AnAuthenticationProvider
can still returnnull
from theAuthenticationProvider.authenticate(Authentication)
method to indicate anotherAuthenticationProvider
should be tried.Selection of an
AuthenticationProvider
capable of performing authentication is conducted at runtime theProviderManager
.- Specified by:
supports
in interfaceAuthenticationProvider
- Returns:
true
if the implementation can more closely evaluate theAuthentication
class presented
-
setAuthenticationConverter
public void setAuthenticationConverter(OpaqueTokenAuthenticationConverter authenticationConverter)
Provide with a custom bean to turn successful introspection result into anAuthentication
instance of your choice. By default,BearerTokenAuthentication
will be built.- Parameters:
authenticationConverter
- the converter to use- Since:
- 5.8
-
-