Package org.springframework.security.oauth2.server.resource.authentication

Class OpaqueTokenAuthenticationProvider

java.lang.Object

org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider

All Implemented Interfaces:

AuthenticationProvider

public final class OpaqueTokenAuthenticationProvider
extends Object
implements AuthenticationProvider

An AuthenticationProvider implementation for opaque Bearer Tokens, using an OAuth 2.0 Introspection Endpoint to check the token's validity and reveal its attributes.

This AuthenticationProvider is responsible for introspecting and verifying an opaque access token, returning its attributes set as part of the Authentication statement.

Scopes are translated into GrantedAuthoritys according to the following algorithm:

1. If there is a "scope" attribute, then convert to a Collection of Strings.
2. Take the resulting Collection and prepend the "SCOPE_" keyword to each element, adding as GrantedAuthoritys.

An OpaqueTokenIntrospector is responsible for retrieving token attributes from an authorization server.

An OpaqueTokenAuthenticationConverter is responsible for turning a successful introspection result into an Authentication instance (which may include mapping GrantedAuthoritys from token attributes or retrieving from another source).

Since:

5.2

See Also:

• AuthenticationProvider

Constructor Summary

Constructors

Constructor	Description
OpaqueTokenAuthenticationProvider(OpaqueTokenIntrospector introspector)	Creates a OpaqueTokenAuthenticationProvider with the provided parameters

Method Summary

Modifier and Type	Method	Description
Authentication	authenticate(Authentication authentication)	Introspect and validate the opaque Bearer Token and then delegates Authentication instantiation to OpaqueTokenAuthenticationConverter.
void	setAuthenticationConverter(OpaqueTokenAuthenticationConverter authenticationConverter)	Provide with a custom bean to turn successful introspection result into an Authentication instance of your choice.
boolean	supports(Class<?> authentication)	Returns true if this AuthenticationProvider supports the indicated Authentication object.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

OpaqueTokenAuthenticationProvider

public OpaqueTokenAuthenticationProvider(OpaqueTokenIntrospector introspector)

Creates a OpaqueTokenAuthenticationProvider with the provided parameters

Parameters:

introspector - The OpaqueTokenIntrospector to use

Method Details

authenticate

public Authentication authenticate(Authentication authentication)
                            throws AuthenticationException

Introspect and validate the opaque Bearer Token and then delegates Authentication instantiation to OpaqueTokenAuthenticationConverter.

If created Authentication is instance of AbstractAuthenticationToken and details are null, then introspection result details are used.

Specified by:

authenticate in interface AuthenticationProvider

Parameters:

authentication - the authentication request object.

Returns:

A successful authentication

Throws:

AuthenticationException - if authentication failed for some reason

supports

public boolean supports(Class<?> authentication)

Description copied from interface: AuthenticationProvider

Returns true if this AuthenticationProvider supports the indicated Authentication object.

Returning true does not guarantee an AuthenticationProvider will be able to authenticate the presented Authentication object. It simply indicates it can support closer evaluation of it. An AuthenticationProvider can still return null from the AuthenticationProvider.authenticate(Authentication) method to indicate another AuthenticationProvider should be tried.

Selection of an AuthenticationProvider capable of performing authentication is conducted at runtime the ProviderManager.

Specified by:

supports in interface AuthenticationProvider

Returns:

true if the implementation can more closely evaluate the Authentication class presented

setAuthenticationConverter

public void setAuthenticationConverter(OpaqueTokenAuthenticationConverter authenticationConverter)

Provide with a custom bean to turn successful introspection result into an Authentication instance of your choice. By default, BearerTokenAuthentication will be built.

Parameters:

authenticationConverter - the converter to use

Since:

5.8