Package com.alpaca.security.oauth2

Class CookieAuthReqRepo

java.lang.Object

com.alpaca.security.oauth2.CookieAuthReqRepo

All Implemented Interfaces:

org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest>

@Component
public class CookieAuthReqRepo
extends Object
implements org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest>

Cookie-based implementation of AuthorizationRequestRepository for storing and retrieving OAuth2AuthorizationRequest objects during OAuth2 login flows in a stateless manner.

By default, Spring Security stores the OAuth2 authorization request in the HTTP session using HttpSessionOAuth2AuthorizationRequestRepository. This implementation replaces that behavior by serializing the request into a secure cookie using CookieManager, enabling stateless authentication flows (e.g., REST APIs or mobile clients).

Two cookies are used:

• oauth2_auth_request: holds the serialized OAuth2AuthorizationRequest.
• redirect_uri: optionally stores a post-login redirect URI provided by the client.

Cookies are short-lived and expire after a defined duration (e.g., 180 seconds).

See Also:

• AuthorizationRequestRepository
• CookieManager

Field Summary

Fields

Modifier and Type	Field	Description
static final String	AuthorizationCookieName
static final int	cookieExpiredSeconds
static final String	RedirectCookieName

Constructor Summary

Constructors

Constructor	Description
CookieAuthReqRepo()

Method Summary

Modifier and Type	Method	Description
org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest	loadAuthorizationRequest(jakarta.servlet.http.HttpServletRequest request)	Loads the OAuth2AuthorizationRequest from the cookie if present.
org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest	removeAuthorizationRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)	Removes the authorization request.
void	removeAuthorizationRequestCookies(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)	Deletes both the authorization request and redirect URI cookies.
void	saveAuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest authorizationRequest, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)	Saves the OAuth2AuthorizationRequest into a cookie, and optionally captures a redirect URI to be stored in a separate cookie.

Methods inherited from class java.lang.Object

clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

AuthorizationCookieName

public static final String AuthorizationCookieName

See Also:

• Constant Field Values

RedirectCookieName

public static final String RedirectCookieName

See Also:

• Constant Field Values

cookieExpiredSeconds

public static final int cookieExpiredSeconds

See Also:

• Constant Field Values

Constructor Details

CookieAuthReqRepo

public CookieAuthReqRepo()

Method Details

loadAuthorizationRequest

public org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest loadAuthorizationRequest(jakarta.servlet.http.HttpServletRequest request)

Loads the OAuth2AuthorizationRequest from the cookie if present.

Specified by:

loadAuthorizationRequest in interface org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest>

Parameters:

request - the incoming HTTP request

Returns:

the deserialized OAuth2AuthorizationRequest, or null if not found

saveAuthorizationRequest

public void saveAuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest authorizationRequest,
 jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response)

Saves the OAuth2AuthorizationRequest into a cookie, and optionally captures a redirect URI to be stored in a separate cookie.

If authorizationRequest is null, deletes both cookies.

Specified by:

saveAuthorizationRequest in interface org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest>

Parameters:

authorizationRequest - the OAuth2 request to save (or null to clear)

request - the incoming HTTP request

response - the outgoing HTTP response to which cookies will be added

removeAuthorizationRequest

public org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest removeAuthorizationRequest(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response)

Removes the authorization request. This implementation defers to loadAuthorizationRequest(jakarta.servlet.http.HttpServletRequest).

Specified by:

removeAuthorizationRequest in interface org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest>

Parameters:

request - the HTTP request

response - the HTTP response

Returns:

the previously stored OAuth2AuthorizationRequest, or null if not available

removeAuthorizationRequestCookies

public void removeAuthorizationRequestCookies(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response)

Deletes both the authorization request and redirect URI cookies.

Parameters:

request - the HTTP request

response - the HTTP response