Interface OAuthStore
public interface OAuthStore
Interface for storing and accessing OAuth artifacts, such as clients, tokens,
and consents, that are necessary for an OAuth flow. The implementation is
responsible for securing the data at motion and rest.
Implementing classes are required to define a zero-argument constructor so that
they can be instantiated during loading.
To make a OAuthStore implementation available to Liberty as an OSGi service there are two
options.
- Basic Extensions using Liberty Libraries (BELL) The BELL feature uses the Java ServiceLoader facility to load an OSGi service from a library. Your JAR file must contain both the OAuthStore implementation class and the provider-configuration file. The following list shows the files that might go into a JAR file:
- Registering with a user feature You can create a new OSGi service that implements the OAuthStore in a user feature. The service *must* define the property 'oauth.store.id' with a unique ID that can be used to reference the implementation from a OAuth provider in the server.xml. An example component XML file defining the component service might look like this:
myLibrary.jar ------------- -- com/acme/CustomOAuthStore1.class -- com/acme/CustomOAuthStore2.class -- META-INF/services/com.ibm.websphere.security.oauth20.store.OAuthStoreThe provider-configuration file lists all the OAuthStore implementations to be provided as an OSGi service. For example, for myLibrary.jar, the META-INF/services/com.ibm.websphere.security.oauth20.store.OAuthStore provider-configuration file has a list of services, with each service on its own line. It *must* also specify the ID for each instance by inserting a comment line prior to each implementing class that contains a key value pair where the key is 'oauth.store.id' and the value is a unique ID that can be used to reference the instance from a OAuth provider in the server.xml.
# oauth.store.id=customOAuthStore1 com.acme.CustomOAuthStore1 # oauth.store.id=customOAuthStore2 com.acme.CustomOAuthStore2Once the JAR has been packaged, update the server.xml configuration to include the "bells-1.0" feature, the library that points to the JAR and the BELL configuration that points to the library. Finally, associate the OAuth provider to an OAuthStore implementation by adding a 'customStore' element to the 'oauthProvider' element and setting the 'storeId' attribute to the value of the 'oauth.store.id' of the implementation of the OAuthStore to use. Below is an example of associating 'customOAuthStore1' to an OAuth provider using the BELL feature.
<server> <featureManager> <feature>oauth-2.0</feature> <feature>bells-1.0</feature> </featureManager> <!-- Create a library for the JAR file that contains the OAuthStore implementation. --> <library id="mylibrary"> <file name="${shared.resource.dir}/libs/myLibrary.jar"> </library> <!-- Load the library in a BELL. --> <bell libraryRef="mylibrary" /> <!-- Configure the OAuth provider with the custom OAuthStore implementation. --> <oauthProvider ...> <customStore storeId="customOAuthStore1" /> </oauthProvider> </server>
OSGI-INF/com.acme.CustomOAuthStore1.xml --------------------------------------- <component name="CustomOAuthStore1"> <implementation class="com.acme.CustomOAuthStore1"/> <service> <provide interface="com.ibm.websphere.security.oauth20.store.OAuthStore"/> </service> <property name="service.vendor" type="String" value="ACME"/> <property name="oauth.store.id" type="String" value="customOAuthStore1"/> </component>When the user feature has been installed in Liberty, add the user feature to the feature list in the server.xml configuration file. Finally, associate the OAuth provider to an OAuthStore implementation by adding a 'customStore' element to the 'oauthProvider' element and setting the 'storeId' attribute to the value of the 'oauth.store.id' of the implementation of the OAuthStore to use. Below is an example of associating 'customOAuthStore1' to an OAuth provider using a user feature.
<server> <featureManager> <feature>oauth-2.0</feature> <feature>user:myFeature-1.0</feature> </featureManager> <!-- Configure the OAuth provider with the custom OAuthStore. --> <oauthProvider ...> <customStore storeId="customOAuthStore1" /> </oauthProvider> </server>
-
Method Summary
Modifier and TypeMethodDescriptionint
countTokens
(String providerId, String username, String clientId) Counts theOAuthToken
entries matching the given providerId, username, and clientId arguments in the store.void
create
(OAuthClient oauthClient) Creates anOAuthClient
entry in the store.void
create
(OAuthConsent oauthConsent) Creates anOAuthConsent
entry in the store.void
create
(OAuthToken oauthToken) Creates anOAuthToken
entry in the store.void
deleteClient
(String providerId, String clientId) Deletes anOAuthClient
entry matching the providerId and clientId arguments from the store.void
deleteConsent
(String providerId, String username, String clientId, String resource) Deletes anOAuthConsent
entry matching the providerId, username, and clientId arguments from the store.void
deleteConsents
(String providerId, long timestamp) Deletes theOAuthConsent
entries for the providerId from the store whose expiration fields are less than the given timestamp argument.void
deleteToken
(String providerId, String lookupKey) Deletes anOAuthToken
entry matching the providerId and lookupKey arguments from the store.void
deleteTokens
(String providerId, long timestamp) Deletes theOAuthToken
entries for the providerId from the store whose expiration fields are less than the given timestamp argument.readAllClients
(String providerId, String attribute) Reads all theOAuthClient
entries matching the given providerId and attribute arguments from the store.readAllTokens
(String providerId, String username) Reads all theOAuthToken
entries matching the given providerId and username arguments from the store.readClient
(String providerId, String clientId) Reads theOAuthClient
entry matching the given providerId and clientId arguments from the store.readConsent
(String providerId, String username, String clientId, String resource) Reads theOAuthConsent
entry matching the given providerId, username, clientId, and resource arguments from the store.Reads theOAuthToken
entry matching the given the providerId and lookupKey arguments from the store.void
update
(OAuthClient oauthClient) Updates anOAuthClient
entry in the store.void
update
(OAuthConsent oauthConsent) Updates anOAuthConsent
entry in the store.void
update
(OAuthToken oauthToken) Updates anOAuthToken
entry in the store.
-
Method Details
-
create
Creates anOAuthClient
entry in the store.- Parameters:
oauthClient
- theOAuthClient
object representing the client to create in the store- Throws:
OAuthStoreException
- if the store is not able to create theOAuthClient
entry
-
create
Creates anOAuthToken
entry in the store.- Parameters:
oauthToken
- theOAuthToken
object representing the token to create in the store- Throws:
OAuthStoreException
- if the store is not able to create theOAuthToken
entry
-
create
Creates anOAuthConsent
entry in the store.- Parameters:
oauthConsent
- theOAuthConsent
object representing the consent to create in the store- Throws:
OAuthStoreException
- if the store is not able to create theOAuthConsent
entry
-
readClient
Reads theOAuthClient
entry matching the given providerId and clientId arguments from the store.- Parameters:
providerId
- the id of the OAuth provider the client is registered withclientId
- the id of the client entry to find in the store- Returns:
- the
OAuthClient
entry ornull
if no matching entry exists - Throws:
OAuthStoreException
- if the store is not able to read anOAuthClient
entry
-
readAllClients
Collection<OAuthClient> readAllClients(String providerId, String attribute) throws OAuthStoreException Reads all theOAuthClient
entries matching the given providerId and attribute arguments from the store.- Parameters:
providerId
- the id of the OAuth provider the client is registered withattribute
- an attribute of the client to match when reading the entry from the underlying store. If null, the method should return all clients for the specified provider.- Returns:
- the collection of
OAuthClient
entries ornull
if no matching entries exist - Throws:
OAuthStoreException
- if the store is not able to read theOAuthClient
entries
-
readToken
Reads theOAuthToken
entry matching the given the providerId and lookupKey arguments from the store.- Parameters:
providerId
- the id of the OAuth provider that issued the tokenlookupKey
- the lookup key of the token entry to find in the store- Returns:
- the
OAuthToken
entry ornull
if no matching entry exists - Throws:
OAuthStoreException
- if the store is not able to read anOAuthToken
entry
-
readAllTokens
Reads all theOAuthToken
entries matching the given providerId and username arguments from the store.- Parameters:
providerId
- the id of the OAuth provider that issued the tokensusername
- the user the tokens were issued for- Returns:
- the
OAuthToken
entries ornull
if no matching entries exist - Throws:
OAuthStoreException
- if the store is not able to read theOAuthToken
entries
-
countTokens
Counts theOAuthToken
entries matching the given providerId, username, and clientId arguments in the store.- Parameters:
providerId
- the id of the OAuth provider that issued the tokensusername
- the user the tokens were issued forclientId
- the id of the client the tokens were issued to- Returns:
- the number of tokens the user was issued for the client with the given clientId from the provider with the given providerId
- Throws:
OAuthStoreException
- if the store is not able to count theOAuthToken
entries
-
readConsent
OAuthConsent readConsent(String providerId, String username, String clientId, String resource) throws OAuthStoreException Reads theOAuthConsent
entry matching the given providerId, username, clientId, and resource arguments from the store.- Parameters:
providerId
- the id of the OAuth provider from which consent was givenuserame
- the user that gave consentclientId
- the id of the client granted consent to access the resourceresource
- the resource the client was granted consent to- Returns:
- the
OAuthConsent
entries ornull
if no matching entry exists - Throws:
OAuthStoreException
- if the store is not able to read anOAuthConsent
entry
-
update
Updates anOAuthClient
entry in the store. If the entry does not exist, this operation will no-op.- Parameters:
oauthClient
- theOAuthClient
object representing the client to update in the store- Throws:
OAuthStoreException
- if the store is not able to update theOAuthClient
entry
-
update
Updates anOAuthToken
entry in the store. If the entry does not exist, this operation will no-op.- Parameters:
oauthToken
- theOAuthToken
object representing the token to update in the store- Throws:
OAuthStoreException
- if the store is not able to update theOAuthToken
entry
-
update
Updates anOAuthConsent
entry in the store. If the entry does not exist, this operation will no-op.- Parameters:
oauthConsent
- theOAuthConsent
object representing the consent to update in the store- Throws:
OAuthStoreException
- if the store is not able to update theOAuthConsent
entry
-
deleteClient
Deletes anOAuthClient
entry matching the providerId and clientId arguments from the store.- Parameters:
providerId
- the id of the OAuth provider the client is registered withclientId
- the id of the client entry to delete from the store- Throws:
OAuthStoreException
- if the store is not able to delete theOAuthClient
entry
-
deleteToken
Deletes anOAuthToken
entry matching the providerId and lookupKey arguments from the store.- Parameters:
providerId
- the id of the OAuth provider that issued the tokenlookupKey
- the lookup key of the token entry to delete from the store- Throws:
OAuthStoreException
- if the store is not able to delete theOAuthToken
entry
-
deleteTokens
Deletes theOAuthToken
entries for the providerId from the store whose expiration fields are less than the given timestamp argument.- Parameters:
providerId
- the id of the OAuth provider that issued the tokentimestamp
- the time in milliseconds since the epoch to compare the token entry expiration with to delete the entry from the store- Throws:
OAuthStoreException
- if the store is not able to delete theOAuthToken
entries
-
deleteConsent
void deleteConsent(String providerId, String username, String clientId, String resource) throws OAuthStoreException Deletes anOAuthConsent
entry matching the providerId, username, and clientId arguments from the store.- Parameters:
providerId
- the id of the OAuth provider from which consent was givenusername
- the user that gave consentclientId
- the id of the client for which to delete the user consent entry from the storeresource
- the resource the client was granted consent to- Throws:
OAuthStoreException
- if the store is not able to delete theOAuthConsent
entry
-
deleteConsents
Deletes theOAuthConsent
entries for the providerId from the store whose expiration fields are less than the given timestamp argument.- Parameters:
providerId
- the id of the OAuth provider from which consent was giventimestamp
- the time in milliseconds since the epoch to compare the consent entry expiration with to delete the entry from the store- Throws:
OAuthStoreException
- if the store is not able to delete theOAuthConsent
entries
-