Remove OAuth2TokenRepository

Fixes gh-4727

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -34,7 +34,6 @@ import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
-import org.springframework.security.oauth2.client.token.OAuth2TokenRepository;
 import org.springframework.security.oauth2.client.userinfo.CustomUserTypesOAuth2UserService;
 import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
 import org.springframework.security.oauth2.client.userinfo.DelegatingOAuth2UserService;
@@ -43,7 +42,6 @@ import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
 import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
-import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.user.OAuth2User;
@@ -136,7 +134,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 
 	public class TokenEndpointConfig {
 		private AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeGrantRequest> authorizationCodeTokenExchanger;
-		private OAuth2TokenRepository<OAuth2AccessToken> accessTokenRepository;
 		private JwtDecoderRegistry jwtDecoderRegistry;
 
 		private TokenEndpointConfig() {
@@ -150,12 +147,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 			return this;
 		}
 
-		public TokenEndpointConfig accessTokenRepository(OAuth2TokenRepository<OAuth2AccessToken> accessTokenRepository) {
-			Assert.notNull(accessTokenRepository, "accessTokenRepository cannot be null");
-			this.accessTokenRepository = accessTokenRepository;
-			return this;
-		}
-
 		public TokenEndpointConfig jwtDecoderRegistry(JwtDecoderRegistry jwtDecoderRegistry) {
 			Assert.notNull(jwtDecoderRegistry, "jwtDecoderRegistry cannot be null");
 			this.jwtDecoderRegistry = jwtDecoderRegistry;
@@ -301,10 +292,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 				this.authorizationEndpointConfig.authorizationRequestRepository);
 		}
 		authorizationResponseFilter.setAuthorizedClientService(this.getAuthorizedClientService());
-		if (this.tokenEndpointConfig.accessTokenRepository != null) {
-			authorizationResponseFilter.setAccessTokenRepository(
-				this.tokenEndpointConfig.accessTokenRepository);
-		}
 		super.configure(http);
 	}
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/InMemoryAccessTokenRepository.java

@@ -1,66 +0,0 @@
-/*
- * Copyright 2002-2017 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.oauth2.client.token;
-
-import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.client.registration.ClientRegistration;
-import org.springframework.security.oauth2.core.OAuth2AccessToken;
-import org.springframework.util.Assert;
-
-import java.util.Base64;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-
-/**
- * An <i>in-memory</i> {@link OAuth2TokenRepository} for {@link OAuth2AccessToken}'s.
- *
- * @author Joe Grandja
- * @since 5.0
- * @see OAuth2TokenRepository
- * @see OAuth2AccessToken
- * @see ClientRegistration
- * @see Authentication
- */
-public final class InMemoryAccessTokenRepository implements OAuth2TokenRepository<OAuth2AccessToken> {
-	private final Map<String, OAuth2AccessToken> accessTokens = new ConcurrentHashMap<>();
-
-	@Override
-	public OAuth2AccessToken loadToken(ClientRegistration registration, Authentication principal) {
-		Assert.notNull(registration, "registration cannot be null");
-		Assert.notNull(principal, "principal cannot be null");
-		return this.accessTokens.get(this.getIdentifier(registration, principal));
-	}
-
-	@Override
-	public void saveToken(OAuth2AccessToken accessToken, ClientRegistration registration, Authentication principal) {
-		Assert.notNull(accessToken, "accessToken cannot be null");
-		Assert.notNull(registration, "registration cannot be null");
-		Assert.notNull(principal, "principal cannot be null");
-		this.accessTokens.put(this.getIdentifier(registration, principal), accessToken);
-	}
-
-	@Override
-	public OAuth2AccessToken removeToken(ClientRegistration registration, Authentication principal) {
-		Assert.notNull(registration, "registration cannot be null");
-		Assert.notNull(principal, "principal cannot be null");
-		return this.accessTokens.remove(this.getIdentifier(registration, principal));
-	}
-
-	private String getIdentifier(ClientRegistration registration, Authentication principal) {
-		String identifier = "[" + registration.getRegistrationId() + "][" + principal.getName() + "]";
-		return Base64.getEncoder().encodeToString(identifier.getBytes());
-	}
-}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/OAuth2TokenRepository.java

@@ -1,42 +0,0 @@
-/*
- * Copyright 2002-2017 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.oauth2.client.token;
-
-import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.client.registration.ClientRegistration;
-import org.springframework.security.oauth2.core.AbstractOAuth2Token;
-
-/**
- * Implementations of this interface are responsible for the persistence
- * and association of an {@link AbstractOAuth2Token OAuth 2.0 Token}
- * to a {@link ClientRegistration Client} and <i>Resource Owner</i>,
- * which is the {@link Authentication Principal} who originally granted the authorization.
- *
- * @author Joe Grandja
- * @since 5.0
- * @see AbstractOAuth2Token
- * @see ClientRegistration
- * @see Authentication
- */
-public interface OAuth2TokenRepository<T extends AbstractOAuth2Token> {
-
-	T loadToken(ClientRegistration registration, Authentication principal);
-
-	void saveToken(T token, ClientRegistration registration, Authentication principal);
-
-	T removeToken(ClientRegistration registration, Authentication principal);
-
-}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java

@@ -25,9 +25,6 @@ import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuth
 import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
-import org.springframework.security.oauth2.client.token.InMemoryAccessTokenRepository;
-import org.springframework.security.oauth2.client.token.OAuth2TokenRepository;
-import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
@@ -76,7 +73,7 @@ import java.io.IOException;
  * @see AuthorizationRequestRepository
  * @see OAuth2AuthorizationRequestRedirectFilter
  * @see ClientRegistrationRepository
- * @see OAuth2TokenRepository
+ * @see OAuth2AuthorizedClientService
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">Section 4.1 Authorization Code Grant</a>
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.2">Section 4.1.2 Authorization Response</a>
  */
@@ -87,7 +84,6 @@ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProce
 	private OAuth2AuthorizedClientService<OAuth2AuthorizedClient> authorizedClientService;
 	private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =
 		new HttpSessionOAuth2AuthorizationRequestRepository();
-	private OAuth2TokenRepository<OAuth2AccessToken> accessTokenRepository = new InMemoryAccessTokenRepository();
 
 	public OAuth2LoginAuthenticationFilter() {
 		this(DEFAULT_FILTER_PROCESSES_URI);
@@ -144,11 +140,6 @@ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProce
 		this.authorizedClientService.saveAuthorizedClient(
 			authorizedClient, oauth2Authentication);
 
-		this.accessTokenRepository.saveToken(
-			authorizedClient.getAccessToken(),
-			authorizedClient.getClientRegistration(),
-			oauth2Authentication);
-
 		return oauth2Authentication;
 	}
 
@@ -167,11 +158,6 @@ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProce
 		this.authorizationRequestRepository = authorizationRequestRepository;
 	}
 
-	public final void setAccessTokenRepository(OAuth2TokenRepository<OAuth2AccessToken> accessTokenRepository) {
-		Assert.notNull(accessTokenRepository, "accessTokenRepository cannot be null");
-		this.accessTokenRepository = accessTokenRepository;
-	}
-
 	private OAuth2AuthorizationResponse convert(HttpServletRequest request) {
 		String code = request.getParameter(OAuth2ParameterNames.CODE);
 		String errorCode = request.getParameter(OAuth2ParameterNames.ERROR);