Updated Token Introspecting Client Config (markdown)
Justin Richer
parent
319792b9ff
commit
68c8ac6694
|
|
@ -1,4 +1,6 @@
|
|||
The following code sets up a filter to take a token passed in to the web application, and fill in the details as an `OAuth2Authentication` object by introspecting it with the configured issuer's Introspection Endpoint (configured as the `introspectionUrl` property). The service authenticates its calls using the `clientId` and `clientSecret` properties.
|
||||
The following code sets up a filter to take a token passed in to the web application, and fill in the details as an `OAuth2Authentication` object by introspecting it at a configured issuer's Introspection Endpoint. The URL for the Introspection Endpoint is provided by the configured `introspectionUrlProvider` service. The token service authenticates its calls using the `clientId` and `clientSecret` properties.
|
||||
|
||||
If the token is valid, the service creates an `Authentication` object with the user in the `sub` object as its principle. This `Authentication` is given a set of `GrantedAuthorities` provided by the configured `introspectionAuthorityGranter` service.
|
||||
|
||||
In applicationContext.xml:
|
||||
```
|
||||
|
|
@ -6,8 +8,53 @@ In applicationContext.xml:
|
|||
<bean id="introspectingService" class="org.mitre.oauth2.introspectingfilter.IntrospectingTokenService">
|
||||
<property name="clientId" value="yourClientId"/>
|
||||
<property name="clientSecret" value="yourClientSecret"/>
|
||||
<property name="introspectionUrl" value="http://localhost:8080/openid-connect-server/introspect"/>
|
||||
<property name="introspectionUrlProvider">
|
||||
...
|
||||
</property>
|
||||
<property name="introspectionAuthorityGranter">
|
||||
...
|
||||
</property>
|
||||
</bean>
|
||||
```
|
||||
|
||||
If the token is valid, the service creates an Authorization with the user in the `sub` field of the response and the role `ROLE_API`.
|
||||
## Introspection URL Providers
|
||||
|
||||
The `IntrospectionURLProvider` interface looks at the context of the request and returns a URL to which the token service can make its introspection call.
|
||||
|
||||
### Static Introspection URL Provider
|
||||
|
||||
The static provider simply returns the same configured URL for all requests, regardless of context.
|
||||
|
||||
```
|
||||
<bean class="org.mitre.oauth2.introspectingfilter.StaticIntrospectionUrlProvider">
|
||||
<property name="introspectionUrl" value="http://authserver/introspect" />
|
||||
</bean>
|
||||
```
|
||||
|
||||
### JWT-Parsing Introspection URL Provider
|
||||
|
||||
The JWT-parsing provider assumes that the access token is a properly formed JWT and parses the token value into a JWT object. The provider then extracts the `iss` field and looks up the introspection URL using the configured `serverConfigurationService`. This service the same as that described in [Client Configuration](Client-configuration#server-configuration).
|
||||
|
||||
```
|
||||
<bean class="org.mitre.oauth2.introspectingfilter.JWTParsingIntrospectionUrlProvider">
|
||||
<property name="serverConfigurationService">
|
||||
...
|
||||
</property>
|
||||
</bean>
|
||||
```
|
||||
|
||||
## Authority Granter
|
||||
|
||||
The `IntrospectionAuthorityGranter` interface looks at the response from the introspection endpoint and returns a set of Spring Security `GrantedAuthority` objects to be assigned to the token service's resulting `Authentication` object.
|
||||
|
||||
### Simple Introspection Authority Granter
|
||||
|
||||
The `SimpleIntrospectionAuthorityGranter` returns the same configured set of authorities for every request, as long as the token is deemed valid by the server. By default, it returns the single `GrantedAuthority` of `ROLE_API`.
|
||||
|
||||
```
|
||||
<bean class="org.mitre.oauth2.introspectingfilter.SimpleIntrospectionAuthorityGranter">
|
||||
<property name="authorities">
|
||||
...
|
||||
</property>
|
||||
</bean>
|
||||
```
|
||||
Loading…
Reference in New Issue