OAuth2RestTemplate in stateless environment

[akorotenko]

Hi,
Can someone guide me with OAuth2RestTemplate for "stateless" services?


OAuth2RestTemplate keeps obtained token in OAuth2ClientContext or in ClientTokenServices (in AccessTokenProviderChain) inside itself.
If I wanna to create oAuth2RestTemplate in runtime (and oauth resource also), what should I do (for redirect resource details)?

Right now I plan to implement ClientTokenServices and use it as singleton. Something, like this:

Code:

@Autowired
private ClientTokenServices clientTokenServices;
    .........................
    .........................

    AuthorizationCodeResourceDetails facebookResource = new AuthorizationCodeResourceDetails();

    .........................

    OAuth2RestTemplate facebookRestTemplate = new OAuth2RestTemplate(facebookResource);
    AccessTokenProviderChain providerChain = new AccessTokenProviderChain(Arrays.<AccessTokenProvider> asList(new AuthorizationCodeAccessTokenProvider(), new ImplicitAccessTokenProvider(),
	 new ResourceOwnerPasswordAccessTokenProvider(), new ClientCredentialsAccessTokenProvider()));

    providerChain.setClientTokenServices(clientTokenServices);
		
    facebookRestTemplate.setAccessTokenProvider(providerChain);

    OAuth2AccessToken accessToken = facebookRestTemplate.getAccessToken();

Is it best practice or I miss something?

And what scope is set for beans, created by <oauth:resource /> and <oauth:rest-template /> tags?

thanks in advance

[Dave Syer]

I'm not 100% sure I follow what you need, but if I were you I woudln't create my own AccessTokenProviderChain or OAuth2RestTemplate (I'd use XML configuration, but maybe you don't like that or something?).

<oauth:resource/> is a singeton. <oauth:rest-template/> is effectively scope="session" for authorization_code grants and singleton for client credentials grant (it delegates insternally depending on the grant type).

[akorotenko]

Yes... probably OAuth2RestTemplate... just ClientTokenServices produces the same gap with created in runtime restTemplate - infinite loop of redirect requests...

The main problem - I need to create <oauth:resource/> in runtime... Different applications which our server should maintain can use different auth services. I can extend OAuth2RestTemplate and set different oauth:resource, but probably need to synchronize methods (looks bad)
Environment will work in AWS with no sessions.

And this produces another problem - after redirect from, for instance, Facebook - response can be catched by another node in a cloud. OAuth2RestTemplate from this server doesn't know about previous requests.

I believe in an elegant solution to the problem but so far it has not reached...

[Dave Syer]

I suppose with a ClientTokenServices you don't need the session, so you could make an OAuth2RestTemplate in request scope and it should work. I still would use Spring to create and inject all dependencies if I were you (makes it much easier to test), but it's entirely up to you.

I can see that request scope might be a sensible option for the XML if there is a client token services available. If you want to contribute some code for that follow the process in the README. Otherwise just open a ticket in JIRA and wait for someone else to do it.