Class SpringAddonsOAuth2AuthorizedClientRepository
java.lang.Object
com.c4_soft.springaddons.security.oauth2.config.synchronised.SpringAddonsOAuth2AuthorizedClientRepository
- All Implemented Interfaces:
jakarta.servlet.http.HttpSessionIdListener,jakarta.servlet.http.HttpSessionListener,EventListener,org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository
public class SpringAddonsOAuth2AuthorizedClientRepository
extends Object
implements org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository, jakarta.servlet.http.HttpSessionListener, jakarta.servlet.http.HttpSessionIdListener
Work around the single tenancy nature of OAuth2AuthenticationToken and InMemoryReactiveClientRegistrationRepository: if a user authenticates
sequentially on several OP, his OAuth2AuthenticationToken will contain an OAuth2User corresponding only to the last OP he authenticated with. To work
around this limitation, this repository keeps an OAuth2User for each OP (issuer) and resolves the authorization client with the right subject for each
issuer.
This repo is also a session listener to keep track of all the (issuer, subject) pairs and their associations with sessions (many to many relation). This enables it to expose the required API for back-channel logout where a request is received to remove an authorized client based on its issuer and subject but without a session token.
- Author:
- Jerome Wacongne ch4mp@c4-soft.com
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptiongetOAuth2UsersBySession(jakarta.servlet.http.HttpSession session) org.springframework.security.oauth2.client.OAuth2AuthorizedClientloadAuthorizedClient(jakarta.servlet.http.HttpSession session, String issuer, String subject) <T extends org.springframework.security.oauth2.client.OAuth2AuthorizedClient>
TloadAuthorizedClient(String clientRegistrationId, org.springframework.security.core.Authentication auth, jakarta.servlet.http.HttpServletRequest request) voidremoveAuthorizedClient(jakarta.servlet.http.HttpSession session, String issuer, String subject) voidremoveAuthorizedClient(String clientRegistrationId, org.springframework.security.core.Authentication auth, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Collection<jakarta.servlet.http.HttpSession>removeAuthorizedClients(String issuer, String subject) Removes an authorized client and returns a list of sessions to invalidate (those for which the current user has no more authorized client after this one was removed)voidsaveAuthorizedClient(org.springframework.security.oauth2.client.OAuth2AuthorizedClient authorizedClient, org.springframework.security.core.Authentication auth, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) voidsessionCreated(jakarta.servlet.http.HttpSessionEvent se) voidsessionDestroyed(jakarta.servlet.http.HttpSessionEvent se) voidsessionIdChanged(jakarta.servlet.http.HttpSessionEvent event, String oldSessionId)
-
Constructor Details
-
SpringAddonsOAuth2AuthorizedClientRepository
public SpringAddonsOAuth2AuthorizedClientRepository()
-
-
Method Details
-
sessionIdChanged
- Specified by:
sessionIdChangedin interfacejakarta.servlet.http.HttpSessionIdListener
-
sessionCreated
public void sessionCreated(jakarta.servlet.http.HttpSessionEvent se) - Specified by:
sessionCreatedin interfacejakarta.servlet.http.HttpSessionListener
-
sessionDestroyed
public void sessionDestroyed(jakarta.servlet.http.HttpSessionEvent se) - Specified by:
sessionDestroyedin interfacejakarta.servlet.http.HttpSessionListener
-
loadAuthorizedClient
public <T extends org.springframework.security.oauth2.client.OAuth2AuthorizedClient> T loadAuthorizedClient(String clientRegistrationId, org.springframework.security.core.Authentication auth, jakarta.servlet.http.HttpServletRequest request) - Specified by:
loadAuthorizedClientin interfaceorg.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository
-
loadAuthorizedClient
-
saveAuthorizedClient
public void saveAuthorizedClient(org.springframework.security.oauth2.client.OAuth2AuthorizedClient authorizedClient, org.springframework.security.core.Authentication auth, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) - Specified by:
saveAuthorizedClientin interfaceorg.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository
-
removeAuthorizedClient
public void removeAuthorizedClient(String clientRegistrationId, org.springframework.security.core.Authentication auth, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) - Specified by:
removeAuthorizedClientin interfaceorg.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository
-
removeAuthorizedClient
-
removeAuthorizedClients
public Collection<jakarta.servlet.http.HttpSession> removeAuthorizedClients(String issuer, String subject) Removes an authorized client and returns a list of sessions to invalidate (those for which the current user has no more authorized client after this one was removed)- Parameters:
issuer- OP issuer URIsubject- current user subject for this OP- Returns:
- the list of user sessions for which this authorized client was the last one
-
getOAuth2UsersBySession
-