Announcement Announcement Module
No announcement yet.
OAuth2RestTemplate in stateless environment Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAuth2RestTemplate in stateless environment

    Can someone guide me with OAuth2RestTemplate for "stateless" services?

    OAuth2RestTemplate keeps obtained token in OAuth2ClientContext or in ClientTokenServices (in AccessTokenProviderChain) inside itself.
    If I wanna to create oAuth2RestTemplate in runtime (and oauth resource also), what should I do (for redirect resource details)?

    Right now I plan to implement ClientTokenServices and use it as singleton. Something, like this:

    private ClientTokenServices clientTokenServices;
        AuthorizationCodeResourceDetails facebookResource = new AuthorizationCodeResourceDetails();
        OAuth2RestTemplate facebookRestTemplate = new OAuth2RestTemplate(facebookResource);
        AccessTokenProviderChain providerChain = new AccessTokenProviderChain(Arrays.<AccessTokenProvider> asList(new AuthorizationCodeAccessTokenProvider(), new ImplicitAccessTokenProvider(),
    	 new ResourceOwnerPasswordAccessTokenProvider(), new ClientCredentialsAccessTokenProvider()));
        OAuth2AccessToken accessToken = facebookRestTemplate.getAccessToken();
    Is it best practice or I miss something?

    And what scope is set for beans, created by <oauth:resource /> and <oauth:rest-template /> tags?

    thanks in advance
    Last edited by akorotenko; Mar 20th, 2013, 06:22 AM.

  • #2
    I'm not 100% sure I follow what you need, but if I were you I woudln't create my own AccessTokenProviderChain or OAuth2RestTemplate (I'd use XML configuration, but maybe you don't like that or something?).

    <oauth:resource/> is a singeton. <oauth:rest-template/> is effectively scope="session" for authorization_code grants and singleton for client credentials grant (it delegates insternally depending on the grant type).


    • #3
      Yes... probably OAuth2RestTemplate... just ClientTokenServices produces the same gap with created in runtime restTemplate - infinite loop of redirect requests...

      The main problem - I need to create <oauth:resource/> in runtime... Different applications which our server should maintain can use different auth services. I can extend OAuth2RestTemplate and set different oauth:resource, but probably need to synchronize methods (looks bad)
      Environment will work in AWS with no sessions.

      And this produces another problem - after redirect from, for instance, Facebook - response can be catched by another node in a cloud. OAuth2RestTemplate from this server doesn't know about previous requests.

      I believe in an elegant solution to the problem but so far it has not reached...


      • #4
        I suppose with a ClientTokenServices you don't need the session, so you could make an OAuth2RestTemplate in request scope and it should work. I still would use Spring to create and inject all dependencies if I were you (makes it much easier to test), but it's entirely up to you.

        I can see that request scope might be a sensible option for the XML if there is a client token services available. If you want to contribute some code for that follow the process in the README. Otherwise just open a ticket in JIRA and wait for someone else to do it.