Broadleaf Microservices
  • v1.0.0-latest-prod

Token Enhancers


In some cases, there may be a business need for additional claims on an AccessToken. Spring provides mechanisms for customizing access tokens. These mechanisms are different depending on which version of Spring Security, and therefore, which version of Broadleaf you are running. Broadleaf AuthenticationServices 1.x uses Spring Security 5, while AuthenticationServices 2.x uses Spring Security 6.

AuthenticationServices 2.x

Spring Security expects an OAuth2TokenCustomizer<JwtEncodingContext> bean to facilitate customizing the JWT access token. Broadleaf registers the DefaultJwtTokenCustomizer, which in turn delegates to a List of JwtAccessTokenEnhancer to add claims.

To add new claims to the access token, simply register a JwtAccessTokenEnhancer bean. In the enhance(JwtTokenEnhancerContext context) method, use JwtTokenEnhancerContext#getClaims() to get the JwtClaimsSet.Builder, to which new claims can be added.

Here are the JwtAccessTokenEnhancer classes included with AuthenticationServices 2.0 to add Broadleaf’s claims to access tokens:

  • AccountIdAccessTokenEnhancer

  • AuthoritiesAccessTokenEnhancer

  • ClientPermissionsAccessTokenEnhancer

  • ClientRestrictionAccessTokenEnhancer

  • CustomerContextAccessTokenEnhancer

  • CustomerSegmentsAccessTokenEnhancer

  • ImpersonationAccessTokenEnhancer

  • RandomTokenEnhancer

  • RegisteredClaimsAccessTokenEnhancer

  • TenantPropertiesAccessTokenEnhancer

  • UserAccessTokenEnhancer

  • UserRestrictionAccessTokenEnhancer

In 2.0, enhancers were renamed from *TokenEnhancer to *AccessTokenEnhancer.

AuthenticationServices 1.x

Spring provides a concept of a TokenEnhancer in order to update claims on the token before it is stored and returned.

By default, Spring contributes its own claims to facilitate building out a JWT compliant token using the JWTAccessTokenConverter.

Broadleaf provides a set of additional enhancers to contribute additional claims that are used by various microservices in the framework.

The following is a list of some included Broadleaf-specific enhancers:

  • RegisteredClaimsTokenEnhancer

  • UserTokenEnhancer

  • TenantPropertiesTokenEnhancer

  • CustomerContextTokenEnhancer

  • CustomerSegmentsTokenEnhancer

  • ImpersonationTokenEnhancer

  • UserRestrictionTokenEnhancer

  • ClientRestrictionTokenEnhancer

Creating your own TokenEnhancer

See the Example Customizations sections to view more details on how you can create your own token enhancer.