Certain authorization rules are time-based. For example, a user may only have the profile:read authority if they've been granted that authority in the last five minutes.
External authorization systems can also state how long a give authority is valid for. An example of this is an OAuth 2.0 scope issued from an authorization server.
It would be nice to have a granted authority implementation that can contemplate when it was issued as well as a validity window.
To remain passive regarding serialization and deserialization, we should add this in an new implementation like TimestampedGrantedAuthority:
public final class TimestampedGrantedAuthority implements GrantedAuthority {
private final String authority;
private final Instant issuedAt;
private final @Nullable Instant notBefore;
private final @Nullable Instant expiresAt;
private TimestampedGrantedAuthority(Builder builder) {
this.authority = builder.authority;
// ...
}
public static Builder withAuthority(String authority) {
return new Builder(authority);
}
// ... getters
public static final class Builder {
private final String authority;
private Builder(String authority) {
// ...
public TimestampedGrantedAuthority build() {
if (this.issuedAt == null) {
this.issuedAt = Instant.now();
}
// ...
}
}
}
It should use a builder to simplify construction and allow for future properties, should they be needed.
A GrantedAuthority like the following:
GrantedAuthority granted = TimestampedGrantedAuthority.withAuthority("profile:read").build();
Should construct the authority with an issued-at of Instant.now(), and a null not-before and expires-at.
This commit should add tests to confirm that TimestampedGrantedAuthority works.
Spring Security can make use of this in future enhancements like aligning each OAuth 2.0 scope with associated timestamp information or like adding time-based authorization rules to the authorizeHttpRequests DSL.
Comment From: yybmion
Hi @jzheaux.
I'd like to work on this issue. Could you please assign it to me?