com.atlassian.oauth2.provider.api.authorization

Interface AuthorizationService

public interface AuthorizationService

Service for handling 3LO authentication

Method Summary

Modifier and Type	Method and Description
AuthorizationFlowResult	completeAuthorizationFlow(String clientId, String redirectUri, String code) Completes authorization flow and returns Authorization if successful
Optional<Authorization>	getAuthorization(String authorizationCode) fetches the Authorization object for the given code
boolean	isPkceCodeVerifierValidAgainstAuthorization(String codeVerifier, String authorizationCode) Checks if the provided code verifier produces the expected code challenge for the authorization associated with the provided authorization code.
boolean	isPkceEnabledForAuthorization(String authorizationCode) Checks if PKCE is enabled for the given authorization request.
void	removeExpiredAuthorizations(Duration expirationPeriod) Remove expired authorizations after a expiration period
String	startAuthorizationFlow(String clientId, String redirectUri, Scope scope, CodeChallengeMethod codeChallengeMethod, String codeChallenge) Creates an authorization request

Method Detail

startAuthorizationFlow

String startAuthorizationFlow(@Nonnull
                              String clientId,
                              @Nonnull
                              String redirectUri,
                              @Nonnull
                              Scope scope,
                              CodeChallengeMethod codeChallengeMethod,
                              String codeChallenge)

Creates an authorization request

Parameters:

clientId - used for this authorization request

redirectUri - the redirect uri verified when getting a token

scope - scope used in authorization flow

codeChallengeMethod - determines how the code verifier should be validated during PKCE. Passing `null` will disable PKCE for the flow.

codeChallenge - the code challenge produced by transforming the legitimate code verifier (based on the code challenge method). Can be null if PKCE disabled.

Returns:

the code for the session

completeAuthorizationFlow

AuthorizationFlowResult completeAuthorizationFlow(@Nonnull
                                                  String clientId,
                                                  @Nonnull
                                                  String redirectUri,
                                                  @Nonnull
                                                  String code)

Completes authorization flow and returns Authorization if successful

Parameters:

clientId - verify same client id used

redirectUri - verify the same redirect uri as at the start of the flow

code - verify the same code as generated at the start of the flow

Returns:

AuthorizationFlowResult verification result

getAuthorization

Optional<Authorization> getAuthorization(@Nonnull
                                         String authorizationCode)

fetches the Authorization object for the given code

Parameters:

authorizationCode - authorization code to lookup

Returns:

Authorization object matching the provided code

isPkceEnabledForAuthorization

boolean isPkceEnabledForAuthorization(@Nonnull
                                      String authorizationCode)

Checks if PKCE is enabled for the given authorization request. Mandatory security checks will be performed when enabled.

Parameters:

authorizationCode - the code provided by the authorization server

Returns:

true if PKCE enabled at the time of the initial authorization request

isPkceCodeVerifierValidAgainstAuthorization

boolean isPkceCodeVerifierValidAgainstAuthorization(@Nonnull
                                                    String codeVerifier,
                                                    @Nonnull
                                                    String authorizationCode)

Checks if the provided code verifier produces the expected code challenge for the authorization associated with the provided authorization code. Used in the context of PKCE.

Parameters:

codeVerifier - the code verifier to check

authorizationCode - the authorization code

Returns:

true if the expected code challenge is produced

removeExpiredAuthorizations

void removeExpiredAuthorizations(@Nonnull
                                 Duration expirationPeriod)

Remove expired authorizations after a expiration period

Parameters:

expirationPeriod - the period of time after which we remove authorisations