Skip to content

Token Introspecting Client Config

Jump to bottom Edit New page
Justin Richer edited this page Aug 29, 2013 · 7 revisions

The following code sets up a filter to take a token passed in to the web application, and fill in the details as an OAuth2Authentication object by introspecting it at a configured issuer's Introspection Endpoint. The URL for the Introspection Endpoint is provided by the configured introspectionUrlProvider service. The token service authenticates its calls using the clientId and clientSecret properties.

If the token is valid, the service creates an Authentication object with the user in the sub object as its principle. This Authentication is given a set of GrantedAuthorities provided by the configured introspectionAuthorityGranter service.

In applicationContext.xml:

    <oauth:resource-server id="resourceServerFilter" token-services-ref="introspectingService" />
    <bean id="introspectingService" class="org.mitre.oauth2.introspectingfilter.IntrospectingTokenService">
        <property name="clientId" value="yourClientId"/>
        <property name="clientSecret" value="yourClientSecret"/>
        <property name="introspectionUrlProvider">
           ...
        </property>
        <property name="introspectionAuthorityGranter">
           ...
        </property>
    </bean>

Introspection URL Providers

The IntrospectionURLProvider interface looks at the context of the request and returns a URL to which the token service can make its introspection call.

Static Introspection URL Provider

The static provider simply returns the same configured URL for all requests, regardless of context.

   <bean class="org.mitre.oauth2.introspectingfilter.StaticIntrospectionUrlProvider">
      <property name="introspectionUrl" value="http://authserver/introspect" />
   </bean>

JWT-Parsing Introspection URL Provider

The JWT-parsing provider assumes that the access token is a properly formed JWT and parses the token value into a JWT object. The provider then extracts the iss field and looks up the introspection URL using the configured serverConfigurationService. This service the same as that described in Client Configuration.

   <bean class="org.mitre.oauth2.introspectingfilter.JWTParsingIntrospectionUrlProvider">
      <property name="serverConfigurationService">
         ...
      </property>
   </bean>

Authority Granter

The IntrospectionAuthorityGranter interface looks at the response from the introspection endpoint and returns a set of Spring Security GrantedAuthority objects to be assigned to the token service's resulting Authentication object.

Simple Introspection Authority Granter

The SimpleIntrospectionAuthorityGranter returns the same configured set of authorities for every request, as long as the token is deemed valid by the server. By default, it returns the single GrantedAuthority of ROLE_API.

   <bean class="org.mitre.oauth2.introspectingfilter.SimpleIntrospectionAuthorityGranter">
      <property name="authorities">
         ...
      </property>
   </bean>

Software is available under the Apache 2.0 license. Documentation available under the Creative Commons 3.0 By-NC license.

Links

Development

Clients

Protected Resources

Servers

Clone this wiki locally