Tokens flow

Prerequisites

Need say few words how to use tokens flow.

After login user in way described at Login in session placed access token. And also refresh token value from access token object put in cookie.

Important

Cookie has expiration time. It is defined by value “Refresh token validity” in seconds, contact system administrator to know that.

So tokens flow looks like

  1. Client app login user (access token -> session, refresh token -> cookie with expiration time).
  2. If token is expired (IvisOAuth2Utils.isTokenGood(httpServletRequest) -> exchange refresh token from cookie (cookie key “refreshToken”) to access token.
  3. If cookie does not exist -> login user again.

Let’s see how it looks like.

For last two points let’s define handler that will work with unauthorized users.

public static final String PATH = "/unauthorized";

private final AuthorizationCodeResourceDetails client;
private final ClientProperties clientProperties;

private final String ivisLogoutUrl;

@Autowired
public UnauthorizedErrorController(
        @Qualifier("clientInformation")
                AuthorizationCodeResourceDetails client,
        ClientProperties clientProperties) {
    this.client = client;
    this.clientProperties = clientProperties;
    this.ivisLogoutUrl = clientProperties.getApiServerAddress() + clientProperties.getIvisLogoutRelativeUri();
}

@RequestMapping(value = PATH)
public View unauthorizedUsers(ModelAndView view,
                              HttpServletRequest request,
                              HttpServletResponse response,
                              @CookieValue(value = "refreshToken", required = false) String refreshTokenCookie) throws UnsupportedEncodingException, URISyntaxException {
    logger.info("User unauthorized!");
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    OAuth2AccessToken accessToken = IvisOAuth2Utils.getAccessToken(client, refreshTokenCookie);
    //logout client
    if (accessToken == null) {
        String loginUrl = clientProperties.getClientAddress() + IvisAuthorizationController.LOGIN_RELATIVE_URI;
        String redirectUrl = new URIBuilder(ivisLogoutUrl)
                .addParameter("redirect_url", loginUrl)
                .build()
                .toString();
        logger.debug(redirectUrl);
        return new RedirectView(redirectUrl, false);
    }

    IvisOAuth2Utils.setAccessToken(request, accessToken);
    return new RedirectView("/", true);
}

As you can see this method also logout user from iVIS.

Note

In Access to protected resources routine described IvisAuthorizedFilter.

If user not logged in, filter intercept access to protected resources by error thrown:

  1. org.springframework.security.oauth2.common.exceptions.UnauthorizedUserException with message “Token isn’t good”.
  2. org.springframework.security.access.AccessDeniedException with message “Token is good, but roles aren’t”.