-
Notifications
You must be signed in to change notification settings - Fork 766
Token Introspecting Client Config
The following code sets up a filter to take a token passed in to the web application, and fill in the details as an OAuth2Authentication
object by introspecting it at a configured issuer's Introspection Endpoint. The URL for the Introspection Endpoint is provided by the configured introspectionConfigurationService
property.
If the token is valid, the service creates an Authentication
object with the user in the sub
object as its principle. This Authentication
is given a set of GrantedAuthorities
provided by the configured introspectionAuthorityGranter
service.
In applicationContext.xml:
<oauth:resource-server id="resourceServerFilter" token-services-ref="introspectingService" />
<bean id="introspectingService" class="org.mitre.oauth2.introspectingfilter.IntrospectingTokenService">
<property name="introspectionConfigurationService">
...
</property>
<property name="introspectionAuthorityGranter">
...
</property>
</bean>
The Introspection Configuration Service
interface looks at the context of the request and returns a URL to which the token service can make its introspection call.
The static provider simply returns the same configured URL and the same configured client for all requests, regardless of context.
<bean class="org.mitre.oauth2.introspectingfilter.service.impl.StaticIntrospectionConfigurationService">
<property name="introspectionUrl" value="http://authserver/introspect" />
<property name="clientConfiguration">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientId" value="yourClientId"/>
<property name="clientSecret" value="yourClientSecret"/>
</bean>
</property>
</bean>
The JWT-parsing provider assumes that the access token is a properly formed JWT and parses the token value into a JWT object. The provider then extracts the iss
field and looks up the introspection URL using the configured serverConfigurationService
and clientConfigurationService
. These services are the same as described in Client Configuration/server service configuration and Client Configuration/client service configuration.
<bean class="org.mitre.oauth2.introspectingfilter.JWTParsingIntrospectionUrlProvider">
<property name="serverConfigurationService">
...
</property>
<property name="clientConfigurationService">
...
</property>
</bean>
The IntrospectionAuthorityGranter
interface looks at the response from the introspection endpoint and returns a set of Spring Security GrantedAuthority
objects to be assigned to the token service's resulting Authentication
object.
The SimpleIntrospectionAuthorityGranter
returns the same configured set of authorities for every request, as long as the token is deemed valid by the server. By default, it returns the single GrantedAuthority
of ROLE_API
.
<bean class="org.mitre.oauth2.introspectingfilter.SimpleIntrospectionAuthorityGranter">
<property name="authorities">
...
</property>
</bean>
Software is available under the Apache 2.0 license. Documentation available under the Creative Commons 3.0 By-NC license.