java.lang.Object
org.elasticsearch.xpack.security.authc.TokenService
Service responsible for the creation, validation, and other management of
UserToken
objects for authentication-
Nested Class Summary
Nested Classes -
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionTokenService(Settings settings, Clock clock, Client client, XPackLicenseState licenseState, SecurityContext securityContext, SecurityIndexManager securityMainIndex, SecurityIndexManager securityTokensIndex, ClusterService clusterService) Creates a new token service -
Method Summary
Modifier and TypeMethodDescriptionvoidcreateOAuth2Tokens(byte[] accessTokenBytes, byte[] refreshTokenBytes, Authentication authentication, Authentication originatingClientAuth, Map<String, Object> metadata, ActionListener<TokenService.CreateTokenResult> listener) Creates an access token and optionally a refresh token as well from predefined values, based on the provided authentication and metadata.voidcreateOAuth2Tokens(Authentication authentication, Authentication originatingClientAuth, Map<String, Object> metadata, boolean includeRefreshToken, ActionListener<TokenService.CreateTokenResult> listener) Creates an access token and optionally a refresh token as well, based on the provided authentication and metadata with auto-generated values.voidgetAuthenticationAndMetadata(String token, ActionListener<org.elasticsearch.core.Tuple<Authentication, Map<String, Object>>> listener) Reads the authentication and metadata from the given token.org.elasticsearch.core.TimeValueorg.elasticsearch.core.Tuple<byte[], byte[]> getRandomTokenBytes(boolean includeRefreshToken) Returns the current in-use metdata of thisTokenServicestatic StringhashTokenString(String accessTokenString) Hashes an access or refresh token String so that it can safely be persisted in the index.voidinvalidateAccessToken(String accessToken, ActionListener<TokensInvalidationResult> listener) This method performs the steps necessary to invalidate an access token so that it may no longer be used.voidinvalidateActiveTokens(String realmName, String username, Predicate<Map<String, Object>> filter, ActionListener<TokensInvalidationResult> listener) Invalidates all access and refresh tokens for a givenrealmNameand/or of a givenusernameso that they may no longer be usable.voidinvalidateRefreshToken(String refreshToken, ActionListener<TokensInvalidationResult> listener) This method invalidates a refresh token so that it may no longer be used.static BooleanisTokenServiceEnabled(Settings settings) prependVersionAndEncodeAccessToken(TransportVersion version, byte[] accessTokenBytes) static StringprependVersionAndEncodeRefreshToken(TransportVersion version, byte[] refreshTokenBytes) voidrefreshToken(String refreshToken, ActionListener<TokenService.CreateTokenResult> listener) Called by the transport action in order to start the process of refreshing a token.
-
Field Details
-
THREAD_POOL_NAME
- See Also:
-
TOKEN_EXPIRATION
-
DELETE_INTERVAL
-
DELETE_TIMEOUT
-
MINIMUM_BASE64_BYTES
public static final int MINIMUM_BASE64_BYTES
-
-
Constructor Details
-
TokenService
public TokenService(Settings settings, Clock clock, Client client, XPackLicenseState licenseState, SecurityContext securityContext, SecurityIndexManager securityMainIndex, SecurityIndexManager securityTokensIndex, ClusterService clusterService) throws GeneralSecurityException Creates a new token service- Throws:
GeneralSecurityException
-
-
Method Details
-
createOAuth2Tokens
public void createOAuth2Tokens(Authentication authentication, Authentication originatingClientAuth, Map<String, Object> metadata, boolean includeRefreshToken, ActionListener<TokenService.CreateTokenResult> listener) Creates an access token and optionally a refresh token as well, based on the provided authentication and metadata with auto-generated values. The created tokens are stored in the security index for versions up toVERSION_TOKENS_INDEX_INTRODUCEDand to a specific security tokens index for later versions. -
createOAuth2Tokens
public void createOAuth2Tokens(byte[] accessTokenBytes, @Nullable byte[] refreshTokenBytes, Authentication authentication, Authentication originatingClientAuth, Map<String, Object> metadata, ActionListener<TokenService.CreateTokenResult> listener) Creates an access token and optionally a refresh token as well from predefined values, based on the provided authentication and metadata. The created tokens are stored in the security index for versions up toVERSION_TOKENS_INDEX_INTRODUCEDand to a specific security tokens index for later versions. -
hashTokenString
Hashes an access or refresh token String so that it can safely be persisted in the index. We don't salt the values as these are v4 UUIDs that have enough entropy by themselves. -
getAuthenticationAndMetadata
public void getAuthenticationAndMetadata(String token, ActionListener<org.elasticsearch.core.Tuple<Authentication, Map<String, Object>>> listener) Reads the authentication and metadata from the given token. This method does not validate whether the token is expired or not. -
invalidateAccessToken
public void invalidateAccessToken(String accessToken, ActionListener<TokensInvalidationResult> listener) This method performs the steps necessary to invalidate an access token so that it may no longer be used. The process of invalidation involves performing an update to the token document and setting theaccess_token.invalidatedfield totrue -
invalidateRefreshToken
public void invalidateRefreshToken(String refreshToken, ActionListener<TokensInvalidationResult> listener) This method invalidates a refresh token so that it may no longer be used. Invalidation involves performing an update to the token document and setting therefresh_token.invalidatedfield totrue- Parameters:
refreshToken- The string representation of the refresh tokenlistener- the listener to notify upon completion
-
invalidateActiveTokens
public void invalidateActiveTokens(@Nullable String realmName, @Nullable String username, @Nullable Predicate<Map<String, Object>> filter, ActionListener<TokensInvalidationResult> listener) Invalidates all access and refresh tokens for a givenrealmNameand/or of a givenusernameso that they may no longer be usable.- Parameters:
realmName- the realm of which the tokens should be invalidatedusername- the username for which the tokens should be invalidatedfilter- An optionalPredicateto further test and filter the tokens to invalidate. The predicate tests the token doc source.listener- the listener to notify upon completion
-
refreshToken
public void refreshToken(String refreshToken, ActionListener<TokenService.CreateTokenResult> listener) Called by the transport action in order to start the process of refreshing a token.- Parameters:
refreshToken- The refresh token as provided by the clientlistener- The listener to call upon completion with aTokenService.CreateTokenResultcontaining the serialized access token, serialized refresh token and authentication for which the token is created as these will be returned to the client
-
getTokenVersionCompatibility
-
isTokenServiceEnabled
-
getExpirationDelay
public org.elasticsearch.core.TimeValue getExpirationDelay() -
prependVersionAndEncodeAccessToken
public String prependVersionAndEncodeAccessToken(TransportVersion version, byte[] accessTokenBytes) throws IOException, GeneralSecurityException - Throws:
IOExceptionGeneralSecurityException
-
prependVersionAndEncodeRefreshToken
public static String prependVersionAndEncodeRefreshToken(TransportVersion version, byte[] refreshTokenBytes) throws IOException - Throws:
IOException
-
getRandomTokenBytes
public org.elasticsearch.core.Tuple<byte[],byte[]> getRandomTokenBytes(boolean includeRefreshToken) -
getTokenMetadata
Returns the current in-use metdata of thisTokenService
-