Key Auth Service Components

Table of Contents

Authentication Related Components
- FormLoginAuthenticationFilter
- OAuth2SessionAuthenticationFilter
Authorization Related Components
- SecurityService
- ImpersonationService
Messaging Components

Authentication Related Components

FormLoginAuthenticationFilter

Processes an authentication form submission for an OAuth2 Authorization Server.

an OAuth2 clientId
username
password

The default parameter names to use are contained in the static fields org.springframework.security.oauth2.common.util.OAuth2Utils#CLIENT_ID, SPRING_SECURITY_FORM_USERNAME_KEY and SPRING_SECURITY_FORM_PASSWORD_KEY. The parameter names for username/password can also be changed by setting the usernameParameter and passwordParameter properties.

This filter by default responds to the URL /login.

OAuth2SessionAuthenticationFilter

Processes an OAuth2 client session Cookie to establish an authentication user.

The way this filter selects the client session Cookie is by appending the OAuth2Utils#CLIENT_ID request parameter to the StatelessUtil#getSessionCookiePrefix(), yielding, for example: BLSID-[client_id].

If the client session Cookie exists, this filter will extract the Cookie’s value, which is expected to be a SignedJWT. The String token and the OAuth2Utils#CLIENT_ID is then used to construct an OAuth2SessionAuthenticationToken.

The OAuth2SessionAuthenticationToken is then passed to AuthenticationManager#authenticate, which usually is then handled by OAuth2SessionAuthenticationProvider, unless another provider is implemented to handle authenticating the token.

Upon a successful authentication, this filter will set the Authentication on the SecurityContext, refresh the client session Cookie, and proceed with the rest of the FilterChain.

Upon a failed authentication, this filter will clear the SecurityContext, and delegate to the AuthenticationEntryPoint to redirect the user to an appropriate location.

Authorization Related Components

SecurityService

Service used during the authorization flow to assess the privileges of the current user in order to filter the requested scopes or retrieve the permissions for an access token.

ImpersonationService

Service providing various methods related to the impersonation flow. Includes generating and validating impersonation tokens used during redirects, as well as session tokens. Implementations of this class should support cross domain impersonation.

Messaging Components

The Auth Service maintains a list of PersistanceHandler implementations. It loops through the list of registered handlers and determines which one can process a given persistence event.

Here is an example list of handlers that are worth noting:

AdminUserPersistenceHandler - Handles messages from the Persistence channel for AdminUser data to update User. This is designed to perform a replacement of existing data within this service from the admin user service.
CustomerPersistenceHandler - Handles messages from the Persistence channel for Customer data to update User. This is designed to perform a replacement of existing data within this service from the customer service.
SegmentMemberPersistenceHandler - Handles creation and deletes of customer segment/customer relationships. Segments are stored on the User in their user attributes. This is designed to work in conjunction with the customer service