com.stormpath.sdk.oauth.OAuthBearerRequestAuthenticator Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of stormpath-sdk-api Show documentation

The Stormpath Java SDK API .jar provides a Java API that your code can use to make calls to the Stormpath API. This .jar is the only compile-time dependency within the Stormpath SDK project that your code should depend on. Implementations of this API (implementation .jars) should be runtime dependencies only.

The newest version!

/*
* Copyright 2015 Stormpath, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.stormpath.sdk.oauth;

/**
 * This class is used to authenticate a Json Web Token against Stormpath. For example:
 *  * Application app = obtainApplication();
 * JwtAuthenticationRequest authRequest = OAuthRequests.OAUTH_BEARER_REQUEST
 *      .builder()
 *      .setJwt(jwt)
 *      .build();
 * JwtAuthenticationResult result = Authenticators.OAUTH_BEARER_REQUEST_AUTHENTICATOR.forApplication(app).authenticate(authRequest);
 * 
 * This validation is always performed against Stormpath server, if you want to validate the token locally, simply apply
 * the {@link #withLocalValidation()} when performing the authentication. Like this:
 *  * JwtAuthenticationResult result = Authenticators.OAUTH_BEARER_REQUEST_AUTHENTICATOR.forApplication(app).withLocalValidation().authenticate(authRequest);
 * 
 *
 * @since 1.0.RC7
 */
public interface OAuthBearerRequestAuthenticator extends OAuthRequestAuthenticator {

    /**
     * Flags the authenticator to carry out a local validation rather than a validation against Stormpath's backend.
     * Doing a local validation will for sure be faster since there is no network traffic involved. However, using Stormpath
     * to validate the token through the REST API ensures that the token can actually be validated against the state of your application
     * and account. To illustrate the difference:
     * 
     * 
     *   *   *   *   
     *      
     *   
     *   
     *      
     *   
     *   
     *      
     *   
     *   
     *      
     *   
     *   
     *      
     *   
     *   
     *      
     *   
     *   
     *      
     *   
     *   
     *      
     *   
     * 
     
     
     Validation Criteria Locally Stormpath
Token hasn’t been tampered with yes yes
Token hasn’t expired yes yes
Token hasn’t been revoked no yes
Account hasn’t been disabled, and hasn’t been deleted no yes
Issuer is Stormpath yes yes
Issuing application is still enabled, and hasn’t been deleted no yes
Account is still in an account store for the issuing application no yes

     * @return This instance for method chaining.
     */
    OAuthBearerRequestAuthenticator withLocalValidation();

}

Validation Criteria	Locally	Stormpath
Token hasn’t been tampered with	yes	yes
Token hasn’t expired	yes	yes
Token hasn’t been revoked	no	yes
Account hasn’t been disabled, and hasn’t been deleted	no	yes
Issuer is Stormpath	yes	yes
Issuing application is still enabled, and hasn’t been deleted	no	yes
Account is still in an account store for the issuing application	no	yes