Spring Security OAuth2 Multi Tenant Aware Token Store
Register for more exciting articlesSpring Security OAuth2 Multi Tenant Aware Token Store
Author: Shazin Sadakath
Spring Security OAuth2 Multi Tenant Aware Token Store
Author: Shazin Sadakath
Sometime back I was given the task of finding a solution for a Spring Security OAuth2 authentication mechanism that is available for multiple distributed microservices and supports Multitenancy. Basically different tenants must be able to store their OAuth2 Tokens in a group inside of Redis and a generated for a Tenant must not work for other tenants. This implementation must not cause any issue for default OAuth2 behaviors such as Token expiration, Token Refreshing, etc.
After some research, I found that if a Tenant Id is sent as part of request header, this problem can be solved using a custom ServletRequestListener and by storing it in a ThreadLocal variable and writing a Custom implementation of RedisTokenStore which makes use of the Tenant Id stored in the ThreadLocal variable. Thus I wrote a TentantContext implementation as below;
public class TenantContext {
private static ThreadLocal TENANT_ID = new ThreadLocal() {
@Override
protected String initialValue() {
return "someid";
}
};
public static void setTenantId(String tenantId) {
TENANT_ID.set(tenantId);
}
public static String getTenantId() {
return TENANT_ID.get();
}
public static void clear() {
TENANT_ID.remove();
}
}
And a TenantContextListener which retrieves and stores the Tenant Id from Tenant_Id HTTP Header as below;
public class TenantContextListener implements ServletRequestListener {
@Override
public void requestDestroyed(ServletRequestEvent servletRequestEvent) {
TenantContext.clear();
}
@Override
public void requestInitialized(ServletRequestEvent servletRequestEvent) {
HttpServletRequest request = (HttpServletRequest)servletRequestEvent.getServletRequest();
String tenantId = request.getHeader("Tenant_Id");
TenantContext.setTenantId(tenantId);
}
}
And a TenantAwareRedisTokenStore as below;
public class TenantAwareRedisTokenStore implements TokenStore {
private static final String ACCESS = "access:";
private static final String AUTH_TO_ACCESS = "auth_to_access:";
private static final String AUTH = "auth:";
private static final String REFRESH_AUTH = "refresh_auth:";
private static final String ACCESS_TO_REFRESH = "access_to_refresh:";
private static final String REFRESH = "refresh:";
private static final String REFRESH_TO_ACCESS = "refresh_to_access:";
private static final String CLIENT_ID_TO_ACCESS = "client_id_to_access:";
private static final String UNAME_TO_ACCESS = "uname_to_access:";
private static final boolean springDataRedis_2_0 = ClassUtils.isPresent(
"org.springframework.data.redis.connection.RedisStandaloneConfiguration",
TenantAwareRedisTokenStore.class.getClassLoader());
private final RedisConnectionFactory connectionFactory;
private AuthenticationKeyGenerator authenticationKeyGenerator = new DefaultAuthenticationKeyGenerator();
private RedisTokenStoreSerializationStrategy serializationStrategy = new JdkSerializationStrategy();
private String prefix = "";
private Method redisConnectionSet_2_0;
public TenantAwareRedisTokenStore(RedisConnectionFactory connectionFactory) {
this.connectionFactory = connectionFactory;
if (springDataRedis_2_0) {
this.loadRedisConnectionMethods_2_0();
}
}
public void setAuthenticationKeyGenerator(AuthenticationKeyGenerator authenticationKeyGenerator) {
this.authenticationKeyGenerator = authenticationKeyGenerator;
}
public void setSerializationStrategy(RedisTokenStoreSerializationStrategy serializationStrategy) {
this.serializationStrategy = serializationStrategy;
}
public void setPrefix(String prefix) {
this.prefix = prefix;
}
private void loadRedisConnectionMethods_2_0() {
this.redisConnectionSet_2_0 = ReflectionUtils.findMethod(
RedisConnection.class, "set", byte[].class, byte[].class);
}
private RedisConnection getConnection() {
return connectionFactory.getConnection();
}
private byte[] serialize(Object object) {
return serializationStrategy.serialize(object);
}
private byte[] serializeKey(String object) {
return serialize(prefix + object);
}
private OAuth2AccessToken deserializeAccessToken(byte[] bytes) {
return serializationStrategy.deserialize(bytes, OAuth2AccessToken.class);
}
private OAuth2Authentication deserializeAuthentication(byte[] bytes) {
return serializationStrategy.deserialize(bytes, OAuth2Authentication.class);
}
private OAuth2RefreshToken deserializeRefreshToken(byte[] bytes) {
return serializationStrategy.deserialize(bytes, OAuth2RefreshToken.class);
}
private byte[] serialize(String string) {
return serializationStrategy.serialize(string);
}
private String deserializeString(byte[] bytes) {
return serializationStrategy.deserializeString(bytes);
}
@Override
public OAuth2AccessToken getAccessToken(OAuth2Authentication authentication) {
String tenantId = getTenantId();
String key = authenticationKeyGenerator.extractKey(authentication);
byte[] serializedKey = serializeKey(tenantId + ":" + AUTH_TO_ACCESS + key);
byte[] bytes = null;
RedisConnection conn = getConnection();
try {
bytes = conn.get(serializedKey);
} finally {
conn.close();
}
OAuth2AccessToken accessToken = deserializeAccessToken(bytes);
if (accessToken != null) {
OAuth2Authentication storedAuthentication = readAuthentication(accessToken.getValue());
if ((storedAuthentication == null || !key.equals(authenticationKeyGenerator.extractKey(storedAuthentication)))) {
// Keep the stores consistent (maybe the same user is
// represented by this authentication but the details have
// changed)
storeAccessToken(accessToken, authentication);
}
}
return accessToken;
}
@Override
public OAuth2Authentication readAuthentication(OAuth2AccessToken token) {
return readAuthentication(token.getValue());
}
@Override
public OAuth2Authentication readAuthentication(String token) {
String tenantId = getTenantId();
byte[] bytes = null;
RedisConnection conn = getConnection();
try {
bytes = conn.get(serializeKey(tenantId + ":" + AUTH + token));
} finally {
conn.close();
}
OAuth2Authentication auth = deserializeAuthentication(bytes);
return auth;
}
@Override
public OAuth2Authentication readAuthenticationForRefreshToken(OAuth2RefreshToken token) {
return readAuthenticationForRefreshToken(token.getValue());
}
public OAuth2Authentication readAuthenticationForRefreshToken(String token) {
String tenantId = getTenantId();
RedisConnection conn = getConnection();
try {
byte[] bytes = conn.get(serializeKey(tenantId + ":" + REFRESH_AUTH + token));
OAuth2Authentication auth = deserializeAuthentication(bytes);
return auth;
} finally {
conn.close();
}
}
@Override
public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
String tenantId = getTenantId();
byte[] serializedAccessToken = serialize(token);
byte[] serializedAuth = serialize(authentication);
byte[] accessKey = serializeKey(tenantId + ":" + ACCESS + token.getValue());
byte[] authKey = serializeKey(tenantId + ":" +AUTH + token.getValue());
byte[] authToAccessKey = serializeKey(tenantId + ":" + AUTH_TO_ACCESS + authenticationKeyGenerator.extractKey(authentication));
byte[] approvalKey = serializeKey(tenantId + ":" + UNAME_TO_ACCESS + getApprovalKey(authentication));
byte[] clientId = serializeKey(tenantId + ":" + CLIENT_ID_TO_ACCESS + authentication.getOAuth2Request().getClientId());
RedisConnection conn = getConnection();
try {
conn.openPipeline();
if (springDataRedis_2_0) {
try {
this.redisConnectionSet_2_0.invoke(conn, accessKey, serializedAccessToken);
this.redisConnectionSet_2_0.invoke(conn, authKey, serializedAuth);
this.redisConnectionSet_2_0.invoke(conn, authToAccessKey, serializedAccessToken);
} catch (Exception ex) {
throw new RuntimeException(ex);
}
} else {
conn.set(accessKey, serializedAccessToken);
conn.set(authKey, serializedAuth);
conn.set(authToAccessKey, serializedAccessToken);
}
if (!authentication.isClientOnly()) {
conn.sAdd(approvalKey, serializedAccessToken);
}
conn.sAdd(clientId, serializedAccessToken);
if (token.getExpiration() != null) {
int seconds = token.getExpiresIn();
conn.expire(accessKey, seconds);
conn.expire(authKey, seconds);
conn.expire(authToAccessKey, seconds);
conn.expire(clientId, seconds);
conn.expire(approvalKey, seconds);
}
OAuth2RefreshToken refreshToken = token.getRefreshToken();
if (refreshToken != null && refreshToken.getValue() != null) {
byte[] refresh = serialize(token.getRefreshToken().getValue());
byte[] auth = serialize(token.getValue());
byte[] refreshToAccessKey = serializeKey(tenantId + ":" +REFRESH_TO_ACCESS + token.getRefreshToken().getValue());
byte[] accessToRefreshKey = serializeKey(tenantId + ":" +ACCESS_TO_REFRESH + token.getValue());
if (springDataRedis_2_0) {
try {
this.redisConnectionSet_2_0.invoke(conn, refreshToAccessKey, auth);
this.redisConnectionSet_2_0.invoke(conn, accessToRefreshKey, refresh);
} catch (Exception ex) {
throw new RuntimeException(ex);
}
} else {
conn.set(refreshToAccessKey, auth);
conn.set(accessToRefreshKey, refresh);
}
if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
ExpiringOAuth2RefreshToken expiringRefreshToken = (ExpiringOAuth2RefreshToken) refreshToken;
Date expiration = expiringRefreshToken.getExpiration();
if (expiration != null) {
int seconds = Long.valueOf((expiration.getTime() - System.currentTimeMillis()) / 1000L)
.intValue();
conn.expire(refreshToAccessKey, seconds);
conn.expire(accessToRefreshKey, seconds);
}
}
}
conn.closePipeline();
} finally {
conn.close();
}
}
private static String getApprovalKey(OAuth2Authentication authentication) {
String userName = authentication.getUserAuthentication() == null ? ""
: authentication.getUserAuthentication().getName();
return getApprovalKey(authentication.getOAuth2Request().getClientId(), userName);
}
private static String getApprovalKey(String clientId, String userName) {
return clientId + (userName == null ? "" : ":" + userName);
}
@Override
public void removeAccessToken(OAuth2AccessToken accessToken) {
removeAccessToken(accessToken.getValue());
}
@Override
public OAuth2AccessToken readAccessToken(String tokenValue) {
String tenantId = getTenantId();
byte[] key = serializeKey(tenantId + ":" + ACCESS + tokenValue);
byte[] bytes = null;
RedisConnection conn = getConnection();
try {
bytes = conn.get(key);
} finally {
conn.close();
}
OAuth2AccessToken accessToken = deserializeAccessToken(bytes);
return accessToken;
}
private String getTenantId() {
return TenantContext.getTenantId();
}
public void removeAccessToken(String tokenValue) {
String tenantId = getTenantId();
byte[] accessKey = serializeKey(tenantId + ":" + ACCESS + tokenValue);
byte[] authKey = serializeKey(tenantId + ":" + AUTH + tokenValue);
byte[] accessToRefreshKey = serializeKey(tenantId + ":" + ACCESS_TO_REFRESH + tokenValue);
RedisConnection conn = getConnection();
try {
conn.openPipeline();
conn.get(accessKey);
conn.get(authKey);
conn.del(accessKey);
conn.del(accessToRefreshKey);
// Don't remove the refresh token - it's up to the caller to do that
conn.del(authKey);
List results = conn.closePipeline();
byte[] access = (byte[]) results.get(0);
byte[] auth = (byte[]) results.get(1);
OAuth2Authentication authentication = deserializeAuthentication(auth);
if (authentication != null) {
String key = authenticationKeyGenerator.extractKey(authentication);
byte[] authToAccessKey = serializeKey(AUTH_TO_ACCESS + key);
byte[] unameKey = serializeKey(UNAME_TO_ACCESS + getApprovalKey(authentication));
byte[] clientId = serializeKey(CLIENT_ID_TO_ACCESS + authentication.getOAuth2Request().getClientId());
conn.openPipeline();
conn.del(authToAccessKey);
conn.sRem(unameKey, access);
conn.sRem(clientId, access);
conn.del(serialize(ACCESS + key));
conn.closePipeline();
}
} finally {
conn.close();
}
}
@Override
public void storeRefreshToken(OAuth2RefreshToken refreshToken, OAuth2Authentication authentication) {
String tenantId = getTenantId();
byte[] refreshKey = serializeKey(tenantId + ":" + REFRESH + refreshToken.getValue());
byte[] refreshAuthKey = serializeKey(tenantId + ":" + REFRESH_AUTH + refreshToken.getValue());
byte[] serializedRefreshToken = serialize(refreshToken);
RedisConnection conn = getConnection();
try {
conn.openPipeline();
if (springDataRedis_2_0) {
try {
this.redisConnectionSet_2_0.invoke(conn, refreshKey, serializedRefreshToken);
this.redisConnectionSet_2_0.invoke(conn, refreshAuthKey, serialize(authentication));
} catch (Exception ex) {
throw new RuntimeException(ex);
}
} else {
conn.set(refreshKey, serializedRefreshToken);
conn.set(refreshAuthKey, serialize(authentication));
}
if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
ExpiringOAuth2RefreshToken expiringRefreshToken = (ExpiringOAuth2RefreshToken) refreshToken;
Date expiration = expiringRefreshToken.getExpiration();
if (expiration != null) {
int seconds = Long.valueOf((expiration.getTime() - System.currentTimeMillis()) / 1000L)
.intValue();
conn.expire(refreshKey, seconds);
conn.expire(refreshAuthKey, seconds);
}
}
conn.closePipeline();
} finally {
conn.close();
}
}
@Override
public OAuth2RefreshToken readRefreshToken(String tokenValue) {
String tenantId = getTenantId();
byte[] key = serializeKey(tenantId + ":" + REFRESH + tokenValue);
byte[] bytes = null;
RedisConnection conn = getConnection();
try {
bytes = conn.get(key);
} finally {
conn.close();
}
OAuth2RefreshToken refreshToken = deserializeRefreshToken(bytes);
return refreshToken;
}
@Override
public void removeRefreshToken(OAuth2RefreshToken refreshToken) {
removeRefreshToken(refreshToken.getValue());
}
public void removeRefreshToken(String tokenValue) {
String tenantId = getTenantId();
byte[] refreshKey = serializeKey(tenantId + ":" + REFRESH + tokenValue);
byte[] refreshAuthKey = serializeKey(tenantId + ":" + REFRESH_AUTH + tokenValue);
byte[] refresh2AccessKey = serializeKey(tenantId + ":" + REFRESH_TO_ACCESS + tokenValue);
byte[] access2RefreshKey = serializeKey(tenantId + ":" + ACCESS_TO_REFRESH + tokenValue);
RedisConnection conn = getConnection();
try {
conn.openPipeline();
conn.del(refreshKey);
conn.del(refreshAuthKey);
conn.del(refresh2AccessKey);
conn.del(access2RefreshKey);
conn.closePipeline();
} finally {
conn.close();
}
}
@Override
public void removeAccessTokenUsingRefreshToken(OAuth2RefreshToken refreshToken) {
removeAccessTokenUsingRefreshToken(refreshToken.getValue());
}
private void removeAccessTokenUsingRefreshToken(String refreshToken) {
String tenantId = getTenantId();
byte[] key = serializeKey(tenantId + ":" + REFRESH_TO_ACCESS + refreshToken);
List results = null;
RedisConnection conn = getConnection();
try {
conn.openPipeline();
conn.get(key);
conn.del(key);
results = conn.closePipeline();
} finally {
conn.close();
}
if (results == null) {
return;
}
byte[] bytes = (byte[]) results.get(0);
String accessToken = deserializeString(bytes);
if (accessToken != null) {
removeAccessToken(accessToken);
}
}
private List getByteLists(byte[] approvalKey, RedisConnection conn) {
List byteList;
Long size = conn.sCard(approvalKey);
byteList = new ArrayList(size.intValue());
Cursor cursor = conn.sScan(approvalKey, ScanOptions.NONE);
while(cursor.hasNext()) {
byteList.add(cursor.next());
}
return byteList;
}
@Override
public Collection findTokensByClientIdAndUserName(String clientId, String userName) {
String tenantId = getTenantId();
byte[] approvalKey = serializeKey(tenantId + ":" + UNAME_TO_ACCESS + getApprovalKey(clientId, userName));
List byteList = null;
RedisConnection conn = getConnection();
try {
byteList = getByteLists(approvalKey, conn);
} finally {
conn.close();
}
if (byteList == null || byteList.size() == 0) {
return Collections. emptySet();
}
List accessTokens = new ArrayList(byteList.size());
for (byte[] bytes : byteList) {
OAuth2AccessToken accessToken = deserializeAccessToken(bytes);
accessTokens.add(accessToken);
}
return Collections. unmodifiableCollection(accessTokens);
}
@Override
public Collection findTokensByClientId(String clientId) {
String tenantId = getTenantId();
byte[] key = serializeKey(tenantId + ":" + CLIENT_ID_TO_ACCESS + clientId);
List byteList = null;
RedisConnection conn = getConnection();
try {
byteList = getByteLists(key, conn);
} finally {
conn.close();
}
if (byteList == null || byteList.size() == 0) {
return Collections. emptySet();
}
List accessTokens = new ArrayList(byteList.size());
for (byte[] bytes : byteList) {
OAuth2AccessToken accessToken = deserializeAccessToken(bytes);
accessTokens.add(accessToken);
}
return Collections. unmodifiableCollection(accessTokens);
}
}
All methods which store, retrieve, delete and refresh OAuth2 Tokens will use the getTenantId() method to get the current request's Tenant Id as below;
private String getTenantId() {
return TenantContext.getTenantId();
}
Finally Spring Beans of TenantContextListener and TenantAwareRedisTokenStore must be created as below;
@Bean
public TokenStore tokenStore(JedisConnectionFactory jedisConnectionFactory) {
return new com.ec.tenant.TenantAwareRedisTokenStore(jedisConnectionFactory);
}
@Bean
public TenantContextListener tenantContextListener() {
return new TenantContextListener();
}
And the tokenStore bean must be used when creating the DefaultTokenServices bean.
@Bean
@Primary
public DefaultTokenServices tokenServices(TokenStore tokenStore) {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore);
defaultTokenServices.setSupportRefreshToken(true);
return defaultTokenServices;
}
This solution fixed the problem elegantly and worked with multiple instances of microservices who can be stateless do authorization use multi tenancy based tokens.
Tags: Spring Security OAuth2 Multi Tenants Redis
Views: 818
Register for more exciting articles
Comments
Please login or register to post a comment.
There are currently no comments.