com.authlete.jaxrs.spi

Class TokenRequestHandlerSpiAdapter

java.lang.Object

com.authlete.jaxrs.spi.TokenRequestHandlerSpiAdapter

All Implemented Interfaces:

TokenRequestHandlerSpi

public class TokenRequestHandlerSpiAdapter
extends Object
implements TokenRequestHandlerSpi

Empty implementation of TokenRequestHandlerSpi interface.

If you don't support Resource Owner Password Credentials Grant, you don't have to override authenticateUser(String, String) method.

Author:

Takahiko Kawasaki

Constructor Summary

Constructors

Constructor and Description
TokenRequestHandlerSpiAdapter()

Method Summary

Modifier and Type	Method and Description
String	authenticateUser(String username, String password) Authenticate an end-user.
com.authlete.common.dto.Property[]	getProperties() Get extra properties to associate with an access token.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

TokenRequestHandlerSpiAdapter

public TokenRequestHandlerSpiAdapter()

Method Detail

authenticateUser

public String authenticateUser(String username,
                               String password)

Description copied from interface: TokenRequestHandlerSpi

Authenticate an end-user.

This method is called only when Resource Owner Password Credentials Grant was used. Therefore, if you have no mind to support Resource Owner Password Credentials, always return null. In typical cases, you don't have to support Resource Owner Password Credentials Grant. FYI: RFC 6749 says "The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable."

Below is an example implementation using Apache Shiro.

 @Override
 public String authenticateUser(String username, String password)
 {
     // Pack the username and password into AuthenticationToken
     // which Apache Shiro's SecurityManager can accept.
     AuthenticationToken credentials =
         new UsernamePasswordToken(username, password);

     try
     {
         // Authenticate the resource owner.
         AuthenticationInfo info =
             SecurityUtils.getSecurityManager().authenticate(credentials);

         // Get the subject of the authenticated user.
         return info.getPrincipals().getPrimaryPrincipal().toString();
     }
     catch (AuthenticationException e)
     {
         // Not authenticated.
         return null;
     }
 }

Specified by:

authenticateUser in interface TokenRequestHandlerSpi

Parameters:

username - The value of username parameter in the token request.

password - The value of password parameter in the token request.

Returns:

The subject (= unique identifier) of the authenticated end-user. If the pair of username and password is invalid, null should be returned.

getProperties

public com.authlete.common.dto.Property[] getProperties()

Description copied from interface: TokenRequestHandlerSpi

Get extra properties to associate with an access token.

This method is expected to return an array of extra properties. The following is an example that returns an array containing one extra property.

 @Override
 public Property[] getProperties()
 {
     return new Property[] {
         new Property("example_parameter", "example_value")
     };
 }

Extra properties returned from this method will appear as top-level entries in a JSON response from an authorization server as shown in 5.1. Successful Response in RFC 6749.

Keys listed below should not be used and they would be ignored on the server side even if they were used. It's because they are reserved in RFC 6749 and OpenID Connect Core 1.0.

• access_token
• token_type
• expires_in
• refresh_token
• scope
• error
• error_description
• error_uri
• id_token

Note that there is an upper limit on the total size of extra properties. On the server side, the properties will be (1) converted to a multidimensional string array, (2) converted to JSON, (3) encrypted by AES/CBC/PKCS5Padding, (4) encoded by base64url, and then stored into the database. The length of the resultant string must not exceed 65,535 in bytes. This is the upper limit, but we think it is big enough.

When the value of grant_type parameter contained in the token request from the client application is authorization_code or refresh_token, extra properties are merged. Rules are as described in the table below.

grant_type	Description
authorization_code	If the authorization code presented by the client application already has extra properties (this happens if AuthorizationDecisionHandlerSpi.getProperties() returned extra properties when the authorization code was issued), extra properties returned by this method will be merged into the existing extra properties. Note that the existing extra properties will be overwritten if extra properties returned by this method have the same keys. For example, if an authorization code has two extra properties, a=1 and b=2, and if this method returns two extra properties, a=A and c=3, the resultant access token will have three extra properties, a=A, b=2 and c=3.
refresh_token	If the access token associated with the refresh token presented by the client application already has extra properties, extra properties returned by this method will be merged into the existing extra properties. Note that the existing extra properties will be overwritten if extra properties returned by this method have the same keys.

Specified by:

getProperties in interface TokenRequestHandlerSpi

Returns:

Extra properties. If null is returned, any extra property will not be associated.