Class Authentication
Authentication
Client credentials flow
The ApiRootBuilder.defaultClient(ClientCredentials, ServiceRegionConfig) and the ClientBuilder.defaultClient(ClientCredentials, ServiceRegionConfig) methods
will configure the client to use client credentials flow for authenthication. To explicitly configure this flow use the
ApiRootBuilder.withClientCredentialsFlow(ClientCredentials, URI) methods
Static token
When you want to use a static token e.g. provided by an external oauth service you can use the ApiRootBuilder.withStaticTokenFlow(AuthenticationToken)
method to configure the client with the existing token.
Anonymous and RefreshToken flow
The ApiRootBuilder.withAnonymousRefreshFlow(ClientCredentials, ServiceRegion, TokenStorage)
methods configure a stack of TokenProviders which first try to get a token from the TokenStorage. If there is no token
it will request a token using anonymous token flow.
If the token is invalid the RefreshFlowTokenSupplier will try to refresh the token.
This method can be combined with th GlobalCustomerPasswordTokenSupplier to request
a customer bound token and save it in the TokenStorage.
Standalone anonymous session flow
The AnonymousSessionTokenSupplier requests an anonymous token only without
fallback to a refresh token flow. This supplier can be configured with ApiRootBuilder.withAnonymousSessionFlow(ClientCredentials, String)
Password flow
The ApiRootBuilder.withGlobalCustomerPasswordFlow(ClientCredentials, String, String, String) method can be used
to configure a client with a token issued to a specific customer. It will configure the client to use the GlobalCustomerPasswordTokenSupplier
for authentication.
Introspection
The token introspection provided by the API can't be used directly with the SDK clients. You will have to call the introspection endpoint with the token to check separately.
// retrieve a token ClientCredentials credentials = ClientCredentials.of() .withClientId(CommercetoolsTestUtils.getClientId()) .withClientSecret(CommercetoolsTestUtils.getClientSecret()) .build(); ClientCredentialsTokenSupplier tokenSupplier = new ClientCredentialsTokenSupplier(credentials.getClientId(), credentials.getClientSecret(), "", ServiceRegion.GCP_EUROPE_WEST1.getOAuthTokenUrl(), HttpClientSupplier.of().get()); final AuthenticationToken token = tokenSupplier.getToken().get(); // client to be used for calling introspection endpoint ApiHttpClient client = ClientBuilder.of().defaultClient(ServiceRegion.GCP_EUROPE_WEST1.getAuthUrl()).build(); // build the introspection request final String auth = Base64.getEncoder() .encodeToString( (credentials.getClientId() + ":" + credentials.getClientSecret()).getBytes(StandardCharsets.UTF_8)); final ApiHttpHeaders headers = new ApiHttpHeaders() .withHeader(ApiHttpHeaders.AUTHORIZATION, format("Basic %s", auth)) .withHeader(ApiHttpHeaders.CONTENT_TYPE, "application/x-www-form-urlencoded"); final String body = "token=" + token.getAccessToken(); final ApiHttpRequest request = new ApiHttpRequest(ApiHttpMethod.POST, URI.create(ServiceRegion.GCP_EUROPE_WEST1.getAuthUrl() + "/oauth/introspect"), headers, body.getBytes(StandardCharsets.UTF_8)); // call the introspection endpoint and map to the TokenIntrospection class final ApiHttpResponse<TokenIntrospection> tokenIntrospection = client.execute(request) .thenApply(apiHttpResponse -> client.getSerializerService() .convertResponse(apiHttpResponse, TokenIntrospection.class)) .get(); Assertions.assertTrue(tokenIntrospection.getBody().isActive());See the test code.
Token revocation
The token revocation provided by the API can't be used directly with the SDK client. You will have to call the endpoint with the token to be revoked separately.
// retrieve a token ClientCredentials credentials = ClientCredentials.of() .withClientId(CommercetoolsTestUtils.getClientId()) .withClientSecret(CommercetoolsTestUtils.getClientSecret()) .build(); ClientCredentialsTokenSupplier tokenSupplier = new ClientCredentialsTokenSupplier(credentials.getClientId(), credentials.getClientSecret(), "", ServiceRegion.GCP_EUROPE_WEST1.getOAuthTokenUrl(), HttpClientSupplier.of().get()); final AuthenticationToken token = tokenSupplier.getToken().get(); // client to be used for calling introspection endpoint ApiHttpClient client = ClientBuilder.of().defaultClient(ServiceRegion.GCP_EUROPE_WEST1.getAuthUrl()).build(); final String auth = Base64.getEncoder() .encodeToString( (credentials.getClientId() + ":" + credentials.getClientSecret()).getBytes(StandardCharsets.UTF_8)); final ApiHttpHeaders headers = new ApiHttpHeaders() .withHeader(ApiHttpHeaders.AUTHORIZATION, format("Basic %s", auth)) .withHeader(ApiHttpHeaders.CONTENT_TYPE, "application/x-www-form-urlencoded"); // build the revoke request final String revokeBody = "token=" + token.getAccessToken() + "&token_type_hint=access_token"; final ApiHttpRequest revokeRequest = new ApiHttpRequest(ApiHttpMethod.POST, URI.create(ServiceRegion.GCP_EUROPE_WEST1.getAuthUrl() + "/oauth/token/revoke"), headers, revokeBody.getBytes(StandardCharsets.UTF_8)); // call the revoke endpoint final ApiHttpResponse<byte[]> revokeToken = client.execute(revokeRequest).get(); Assertions.assertEquals(HttpStatusCode.OK_200, revokeToken.getStatusCode()); // build the introspection request final String introspectBody = "token=" + token.getAccessToken(); final ApiHttpRequest introspectRequest = new ApiHttpRequest(ApiHttpMethod.POST, URI.create(ServiceRegion.GCP_EUROPE_WEST1.getAuthUrl() + "/oauth/introspect"), headers, introspectBody.getBytes(StandardCharsets.UTF_8)); // call the introspection endpoint and map to the TokenIntrospection class final ApiHttpResponse<TokenIntrospection> tokenIntrospection = client.execute(introspectRequest) .thenApply(apiHttpResponse -> client.getSerializerService() .convertResponse(apiHttpResponse, TokenIntrospection.class)) .get(); Assertions.assertFalse(tokenIntrospection.getBody().isActive());See the test code.
-
Constructor Summary
Constructors -
Method Summary
-
Constructor Details
-
Authentication
public Authentication()
-