OAuth2RestTemplate in stateless environment

Printable View

Mar 20th, 2013, 04:39 AM
akorotenko

OAuth2RestTemplate in stateless environment

Hi,
Can someone guide me with OAuth2RestTemplate for "stateless" services?

OAuth2RestTemplate keeps obtained token in OAuth2ClientContext or in ClientTokenServices (in AccessTokenProviderChain) inside itself.
If I wanna to create oAuth2RestTemplate in runtime (and oauth resource also), what should I do (for redirect resource details)?

Right now I plan to implement ClientTokenServices and use it as singleton. Something, like this:

Code:

@Autowired private ClientTokenServices clientTokenServices; ......................... ......................... AuthorizationCodeResourceDetails facebookResource = new AuthorizationCodeResourceDetails(); ......................... OAuth2RestTemplate facebookRestTemplate = new OAuth2RestTemplate(facebookResource); AccessTokenProviderChain providerChain = new AccessTokenProviderChain(Arrays.<AccessTokenProvider> asList(new AuthorizationCodeAccessTokenProvider(), new ImplicitAccessTokenProvider(), new ResourceOwnerPasswordAccessTokenProvider(), new ClientCredentialsAccessTokenProvider())); providerChain.setClientTokenServices(clientTokenServices); facebookRestTemplate.setAccessTokenProvider(providerChain); OAuth2AccessToken accessToken = facebookRestTemplate.getAccessToken();

Is it best practice or I miss something?

And what scope is set for beans, created by <oauth:resource /> and <oauth:rest-template /> tags?

thanks in advance
Mar 20th, 2013, 12:28 PM
Dave Syer

I'm not 100% sure I follow what you need, but if I were you I woudln't create my own AccessTokenProviderChain or OAuth2RestTemplate (I'd use XML configuration, but maybe you don't like that or something?).

<oauth:resource/> is a singeton. <oauth:rest-template/> is effectively scope="session" for authorization_code grants and singleton for client credentials grant (it delegates insternally depending on the grant type).
Mar 20th, 2013, 03:52 PM
akorotenko

Yes... probably OAuth2RestTemplate... just ClientTokenServices produces the same gap with created in runtime restTemplate - infinite loop of redirect requests...

The main problem - I need to create <oauth:resource/> in runtime... Different applications which our server should maintain can use different auth services. I can extend OAuth2RestTemplate and set different oauth:resource, but probably need to synchronize methods (looks bad)
Environment will work in AWS with no sessions.

And this produces another problem - after redirect from, for instance, Facebook - response can be catched by another node in a cloud. OAuth2RestTemplate from this server doesn't know about previous requests.

I believe in an elegant solution to the problem but so far it has not reached... :(
Mar 20th, 2013, 06:39 PM
Dave Syer

I suppose with a ClientTokenServices you don't need the session, so you could make an OAuth2RestTemplate in request scope and it should work. I still would use Spring to create and inject all dependencies if I were you (makes it much easier to test), but it's entirely up to you.

I can see that request scope might be a sensible option for the XML if there is a client token services available. If you want to contribute some code for that follow the process in the README. Otherwise just open a ticket in JIRA and wait for someone else to do it.