Skip to content

Token Introspecting Client Config

Justin Richer edited this page May 28, 2014 · 6 revisions

The following code sets up a filter to take a token passed in to the web application, and fill in the details as an OAuth2Authentication object by introspecting it at a configured issuer's Introspection Endpoint. The URL for the Introspection Endpoint is provided by the configured introspectionConfigurationService property.

If the token is valid, the service creates an Authentication object with the user in the sub object as its principle. This Authentication is given a set of GrantedAuthorities provided by the configured introspectionAuthorityGranter service.

In applicationContext.xml:

<oauth:resource-server id="resourceServerFilter" token-services-ref="introspectingService" />

<bean id="introspectingService" class="org.mitre.oauth2.introspectingfilter.IntrospectingTokenService">
    <property name="introspectionConfigurationService">
       ...
    </property>
    <property name="introspectionAuthorityGranter">
       ...
    </property>
</bean>

Introspection Configuration Service

The Introspection Configuration Service interface looks at the context of the request and returns a URL to which the token service can make its introspection call.

Static Introspection Configuration Service

The static provider simply returns the same configured URL and the same configured client for all requests, regardless of context.

<bean class="org.mitre.oauth2.introspectingfilter.StaticIntrospectionUrlProvider">
   <property name="introspectionUrl" value="http://authserver/introspect" />
   <property name="clientConfiguration">
     <bean class="org.mitre.oauth2.model.RegisteredClient">
       <property name="clientId" value="yourClientId"/>
       <property name="clientSecret" value="yourClientSecret"/>
     </bean>
   </property>
</bean>

JWT-Parsing Introspection URL Provider

The JWT-parsing provider assumes that the access token is a properly formed JWT and parses the token value into a JWT object. The provider then extracts the iss field and looks up the introspection URL using the configured serverConfigurationService and clientConfigurationService. These services are the same as described in Client Configuration/server service configuration and Client Configuration/client service configuration.

<bean class="org.mitre.oauth2.introspectingfilter.JWTParsingIntrospectionUrlProvider">
   <property name="serverConfigurationService">
      ...
   </property>
   <property name="clientConfigurationService">
      ...
   </property>
</bean>

Authority Granter

The IntrospectionAuthorityGranter interface looks at the response from the introspection endpoint and returns a set of Spring Security GrantedAuthority objects to be assigned to the token service's resulting Authentication object.

Simple Introspection Authority Granter

The SimpleIntrospectionAuthorityGranter returns the same configured set of authorities for every request, as long as the token is deemed valid by the server. By default, it returns the single GrantedAuthority of ROLE_API.

<bean class="org.mitre.oauth2.introspectingfilter.SimpleIntrospectionAuthorityGranter">
   <property name="authorities">
      ...
   </property>
</bean>