/*
* Copyright 2008 Web Cohesion
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth.provider.token;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
/**
* @author Ryan Heaton
*/
public interface OAuthProviderTokenServices {
/**
* Read a token by its value.
*
* @param token The token value.
* @return The token.
* @throws AuthenticationException If the token is invalid, expired, or disabled.
*/
OAuthProviderToken getToken(String token) throws AuthenticationException;
/**
* Create an unauthorized OAuth request token.
*
* @param consumerKey The consumer key for which to create the token.
* @param callbackUrl The callback URL associated with the consumer key.
* @return The token.
* @throws AuthenticationException If the consumer isn't valid or otherwise isn't allowed to create a new request token.
*/
OAuthProviderToken createUnauthorizedRequestToken(String consumerKey, String callbackUrl) throws AuthenticationException;
/**
* Authorize the specified request token with the specified authentication credentials. After the
* request token is authorized, the consumer to which that request token was issued will be able
* to use it to obtain an access token.
*
* @param requestToken The request token.
* @param verifier The verifier to be assigned to the request token.
* @param authentication The authentication credentials with which to authorize the request token. This is the
* authentication of the <i>user</i> who has signed in and is authorizing the consumer to have access to a
* protected resource. This same authentication can be pulled from the security context, but it's passed explicitly
* here to suggest to the method implementation that it needs to take into account what authorities are being
* granted to the consumer by the user.
* @throws AuthenticationException If the token is expired or otherwise unauthorizable, or if the
* authentication credentials are insufficient.
*/
void authorizeRequestToken(String requestToken, String verifier, Authentication authentication) throws AuthenticationException;
/**
* Create an OAuth access token given the specified request token. This token will be used to provide
* access to a protected resource. After the access token is created, the request token should be invalidated.
*
* @param requestToken The (presumably authorized) request token used to create the access token.
* @return The access token.
* @throws AuthenticationException If the request token is expired or disabled or doesn't reference the necessary authentication
* credentials or otherwise isn't authorized.
*/
OAuthAccessProviderToken createAccessToken(String requestToken) throws AuthenticationException;
}