Package org.springframework.security.oauth2.client

Class TokenExchangeOAuth2AuthorizedClientProvider

java.lang.Object

org.springframework.security.oauth2.client.TokenExchangeOAuth2AuthorizedClientProvider

All Implemented Interfaces:

OAuth2AuthorizedClientProvider

public final class TokenExchangeOAuth2AuthorizedClientProvider
extends Object
implements OAuth2AuthorizedClientProvider

An implementation of an OAuth2AuthorizedClientProvider for the token-exchange grant.

Since:

6.3

See Also:

• OAuth2AuthorizedClientProvider
• DefaultTokenExchangeTokenResponseClient

Constructor Summary

Constructors

Constructor	Description
TokenExchangeOAuth2AuthorizedClientProvider()

Method Summary

Modifier and Type	Method	Description
OAuth2AuthorizedClient	authorize(OAuth2AuthorizationContext context)	Attempt to authorize (or re-authorize) the client in the provided context.
void	setAccessTokenResponseClient(OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> accessTokenResponseClient)	Sets the client used when requesting an access token credential at the Token Endpoint for the token-exchange grant.
void	setActorTokenResolver(Function<OAuth2AuthorizationContext,OAuth2Token> actorTokenResolver)	Sets the resolver used for resolving the actor token.
void	setClock(Clock clock)	Sets the Clock used in Instant.now(Clock) when checking the access token expiry.
void	setClockSkew(Duration clockSkew)	Sets the maximum acceptable clock skew, which is used when checking the access token expiry.
void	setSubjectTokenResolver(Function<OAuth2AuthorizationContext,OAuth2Token> subjectTokenResolver)	Sets the resolver used for resolving the subject token.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

TokenExchangeOAuth2AuthorizedClientProvider

public TokenExchangeOAuth2AuthorizedClientProvider()

Method Details

authorize

@Nullable
public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context)

Attempt to authorize (or re-authorize) the client in the provided context. Returns null if authorization (or re-authorization) is not supported, e.g. the client's authorization grant type is not token-exchange OR the access token is not expired.

Specified by:

authorize in interface OAuth2AuthorizedClientProvider

Parameters:

context - the context that holds authorization-specific state for the client

Returns:

the OAuth2AuthorizedClient or null if authorization is not supported

setAccessTokenResponseClient

public void setAccessTokenResponseClient(OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> accessTokenResponseClient)

Sets the client used when requesting an access token credential at the Token Endpoint for the token-exchange grant.

Parameters:

accessTokenResponseClient - the client used when requesting an access token credential at the Token Endpoint for the token-exchange grant

setSubjectTokenResolver

public void setSubjectTokenResolver(Function<OAuth2AuthorizationContext,OAuth2Token> subjectTokenResolver)

Sets the resolver used for resolving the subject token.

Parameters:

subjectTokenResolver - the resolver used for resolving the subject token

setActorTokenResolver

public void setActorTokenResolver(Function<OAuth2AuthorizationContext,OAuth2Token> actorTokenResolver)

Sets the resolver used for resolving the actor token.

Parameters:

actorTokenResolver - the resolver used for resolving the actor token

setClockSkew

public void setClockSkew(Duration clockSkew)

Sets the maximum acceptable clock skew, which is used when checking the access token expiry. The default is 60 seconds.

An access token is considered expired if OAuth2AccessToken#getExpiresAt() - clockSkew is before the current time clock#instant().

Parameters:

clockSkew - the maximum acceptable clock skew

setClock

public void setClock(Clock clock)

Sets the Clock used in Instant.now(Clock) when checking the access token expiry.

Parameters:

clock - the clock