(Quick Reference)

4 Required Domain Classes - Reference Documentation

Authors: Brian Saville, Bobby Vandiver, Roy Willemse

Version: 3.0.0-RC2

4.1Client Class

4 Required Domain Classes

The plugin uses regular Grails domain classes backed by GORM. There are four required domain classes representing clients, access tokens, refresh tokens and authorization codes that you'll need.

The s2-init-oauth2-provider script will create the domain classes for you in a specified package and update grails-app/conf/application.groovy so the plugin recognizes them. You can customize the generated classes to fit your needs. If you change the default property names, you will need to update grails-app/conf/application.groovy so the plugin is aware of the changes. See the section on domain class properties for more information.

The maxSize constraints in the generated domain classes have been set to reasonable defaults. However, tweaking may be required if you are using longer usernames (email addresses for example), or have many authorities attached to a single user.

The below discussion assumes the s2-init-oauth2-provider script has been run with com.yourapp specified as the package and Client, AccessToken, RefreshToken and AuthorizationCode as the names of your domain classes.

4.1 Client Class

Information from the Grails client domain class will be extracted to create a ClientDetails instance for the underlying Spring Security OAuth 2.0 implementation.

The generated class will look like this:

package com.yourappclass Client {
    private static final String NO_CLIENT_SECRET = ''
    transient springSecurityService
    String clientId
    String clientSecret
    Integer accessTokenValiditySeconds
    Integer refreshTokenValiditySeconds
    Map<String, Object> additionalInformation
    static hasMany = [
            authorities: String,
            authorizedGrantTypes: String,
            resourceIds: String,
            scopes: String,
            autoApproveScopes: String,
            redirectUris: String
    ]
    static transients = ['springSecurityService']
    static constraints = {
        clientId blank: false, unique: true
        clientSecret nullable: true
        accessTokenValiditySeconds nullable: true
        refreshTokenValiditySeconds nullable: true
        authorities nullable: true
        authorizedGrantTypes nullable: true
        resourceIds nullable: true
        scopes nullable: true
        autoApproveScopes nullable: true
        redirectUris nullable: true
        additionalInformation nullable: true
    }
    def beforeInsert() {
        encodeClientSecret()
    }
    def beforeUpdate() {
        if(isDirty('clientSecret')) {
            encodeClientSecret()
        }
    }
    protected void encodeClientSecret() {
        clientSecret = clientSecret ?: NO_CLIENT_SECRET
        clientSecret = springSecurityService?.passwordEncoder ? springSecurityService.encodePassword(clientSecret) : clientSecret
    }
}

The client secret is encoded using the same strategy that is configured by the Core plugin for handling passwords. Optional client secrets are also supported out of the box.

4.2 Access Token Class

This class represents an access token than has been issued to a client on behalf of a user. The authentication object serialized is an instance of OAuth2Authentication from Spring Security OAuth 2.0.

package com.yourappclass AccessToken {
    String authenticationKey
    byte[] authentication
    String username
    String clientId
    String value
    String tokenType
    Date expiration
    Map<String, Object> additionalInformation
    static hasOne = [refreshToken: String]
    static hasMany = [scope: String]
    static constraints = {
        username nullable: true
        clientId nullable: false, blank: false
        value nullable: false, blank: false, unique: true
        tokenType nullable: false, blank: false
        expiration nullable: false
        scope nullable: false
        refreshToken nullable: true
        authenticationKey nullable: false, blank: false, unique: true
        authentication nullable: false, minSize: 1, maxSize: 1024 * 4
        additionalInformation nullable: true
    }
    static mapping = {
        version false
        scope lazy: false
    }
}

4.3 Refresh Token Class

This class represents a refresh token issued as part of one of the grants that supports issuing a refresh token. The length of time the refresh token is valid is determined by the token services and can be configured. See token services configuration for more. The authentication object serialized is an instance of OAuth2Authentication from Spring Security OAuth 2.0.

package com.yourappclass RefreshToken {
    String value
    Date expiration
    byte[] authentication
    static constraints = {
        value nullable: false, blank: false, unique: true
        expiration nullable: true
        authentication nullable: false, minSize: 1, maxSize: 1024 * 4
    }
    static mapping = {
        version false
    }
}

If a non-expiring refresh token is desired, the client issuing the refresh token should be configured to return a 0 or less for the refresh token validity length in accordance with the behavior of Spring Security OAuth beginning with 2.0.6.RELEASE. A non-expiring GORM refresh token will be stored with a null expiration. When reading a GORM refresh token, if the expiration field is null, an ExpiringOAuth2RefreshToken instance will be created and returned for processing by Spring Security OAuth. Otherwise an instance of OAuth2RefreshToken will be created and used.

4.4 Authorization Code Class

This class represents an authorization code that has been issued via the authorization endpoint as part of an authorization code grant. The authentication object serialized is an instance of OAuth2Authentication from Spring Security OAuth 2.0.

package com.yourappclass AuthorizationCode {
    byte[] authentication
    String code
    static constraints = {
        code nullable: false, blank: false, unique: true
        authentication nullable: false, minSize: 1, maxSize: 1024 * 4
    }
    static mapping = {
        version false
    }
}

<< 3Example Flows

5Optional Domain Classes >>