XML Spring Configuration to enforce the access_token and refresh_token in oAuth2.0

[marshallmonica@yahoo.com]

Hello Everyone !

I have been experimenting with the Sparklr2 and Tonr2 applications. I have them deployed on two difference Tomcat instances and have been debugging the code that Ryan Heaton has written.

I have a few questions regarding the Spring XML configuration that needs to be set up to force the client application not only to be sent to the oauth/user/authorize url for authorization but also to the /oauth/authorize URL where the user actually gets an access_token and an refresh_token. In the sample applications that I am running I never see the client actually invoke the Restful web service requesting the photos from Sparklr and sending the request with the access_token in the Authorization header. I only see the "authorization" phase where the client application is sent to the accessConfirmation.jsp page and is asked to either authorize or decline access. After the client has clicked on the "Authorize" button, the client should receive an access_token and optionally a refresh_token. I should be able to take the access_token and refresh_token and persist it in the database for future client/server sessions and for creating a new token once the old token has expired or was revoked. I just don't see anywhere in the sparklr2/tonr2 demo application where the client actually makes a request using the authRestTemplate and sets the Header Authorization to contain the access_code given by the Authorization Server to the Client App.
In the application I am writing I have a requirement not only to haver users with username and password coming from a database and not hardcoded in the xml config file. I also have a requirement to persist the access_token and refresh_token on behalf of a client id.
What example can I look at to figure out how to change the Sparklr2/tonr2 xml config file to force the two step protocol ( authorization/access_code/refresh_code ) and to save the the access_code and refresh_code for the given clientId/secret_code ?

Please, I would appreciate your help on this matter. I have been studying the very interesting demo application written by Ryan Heaton but have not been able to figure out the access_token and the /oauth/authorize part yet.

Monica Marshall
Sr. Software Engineer/Tracom/Denver

[stoicflame]

The call to the oauth rest template is in the org.springframework.security.oauth.examples.tonr.i mpl.SparklrServiceImpl#getSparklrPhotoIds method.

To persist the access token and refresh token, provide your own implementation of org.springframework.security.oauth2.consumer.token .OAuth2ClientTokenServices.

[marshallmonica@yahoo.com]

I have the following questions regarding supplying an implementation for the OAuth2ProviderTokenServices interface that is different than InMemoryOAuth2ProviderTokenServices.

1. What are the reasons for using the InMemoryOAuth2ProviderTokenServices?
2. What are the reasons for using an alternative implementation of the OAuth2ProviderTokenServices interface?
3. What are the default values for time to live of the access_token and refresh_token if I use the InMemoryOAuth2ProviderTokenServices ?
4. Would I use a custom implementation for the OAuth2ProviderTokenServices if I want the Service that sets a different time to live for the access_token and refresh_token than the default ?
5. Is the use of the InMemoryOAuth2ProviderTokenServices safe in a realtime production environment ?

I saw that the InMemoryOAuth2ProviderTokenServices uses a ConcurrentHashMap to store the refresh_token, the access_token and the Authentication details.

Thank you for advising.

Monica

[stoicflame]

1. What are the reasons for using the InMemoryOAuth2ProviderTokenServices?

Convenience.

2. What are the reasons for using an alternative implementation of the OAuth2ProviderTokenServices interface?

Persistence across multiple servers and between downtime of server. Also to provide custom configuration.

3. What are the default values for time to live of the access_token and refresh_token if I use the InMemoryOAuth2ProviderTokenServices ?

access_token: 12 hours
refresh_token: 30 days

4. Would I use a custom implementation for the OAuth2ProviderTokenServices if I want the Service that sets a different time to live for the access_token and refresh_token than the default ?

Not necessarily; you can change those via config.

5. Is the use of the InMemoryOAuth2ProviderTokenServices safe in a realtime production environment ?

Sure, if you can live with a single server and the fact that tokens are volatile between server restarts.