Add Token Revocation Endpoint in ref doc

Issue gh-672
4 years ago · e687970f2b
1 changed files with 39 additions and 1 deletions
--- a/docs/src/docs/asciidoc/protocol-endpoints.adoc
+++ b/docs/src/docs/asciidoc/protocol-endpoints.adoc
@ -138,7 +138,45 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
				@@ -138,7 +138,45 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 [[oauth2-token-revocation-endpoint]]
 == OAuth2 Token Revocation Endpoint

-This section is under construction.
+`OAuth2TokenRevocationEndpointConfigurer` provides the ability to customize the https://tools.ietf.org/html/rfc7009[OAuth2 Token Revocation endpoint].
+It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for https://datatracker.ietf.org/doc/html/rfc7009#section-2.1[OAuth2 revocation requests].
+
+`OAuth2TokenRevocationEndpointConfigurer` provides the following configuration options:
+
+[source,java]
+----
+@Bean
+public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
+	OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
+		new OAuth2AuthorizationServerConfigurer<>();
+	http.apply(authorizationServerConfigurer);
+
+	authorizationServerConfigurer
+		.tokenRevocationEndpoint(tokenRevocationEndpoint ->
+			tokenRevocationEndpoint
+				.revocationRequestConverter(revocationRequestConverter)   <1>
+				.authenticationProvider(authenticationProvider) <2>
+				.revocationResponseHandler(revocationResponseHandler) <3>
+				.errorResponseHandler(errorResponseHandler) <4>
+		);
+
+	return http.build();
+}
+----
+<1> `revocationRequestConverter()`: The `AuthenticationConverter` (_pre-processor_) used when attempting to extract an https://datatracker.ietf.org/doc/html/rfc7009#section-2.1[OAuth2 revocation request] from `HttpServletRequest` to an instance of `OAuth2TokenRevocationAuthenticationToken`.
+<2> `authenticationProvider()`: The `AuthenticationProvider` (_main processor_) used for authenticating the `OAuth2TokenRevocationAuthenticationToken`. (One or more may be added to replace the defaults.)
+<3> `revocationResponseHandler()`: The `AuthenticationSuccessHandler` (_post-processor_) used for handling an "`authenticated`" `OAuth2TokenRevocationAuthenticationToken` and returning the https://datatracker.ietf.org/doc/html/rfc7009#section-2.2[OAuth2 revocation response].
+<4> `errorResponseHandler()`: The `AuthenticationFailureHandler` (_post-processor_) used for handling an `OAuth2AuthenticationException` and returning the https://datatracker.ietf.org/doc/html/rfc6749#section-5.2[OAuth2Error response].
+
+`OAuth2TokenRevocationEndpointConfigurer` configures the `OAuth2TokenRevocationEndpointFilter` and registers it with the OAuth2 authorization server `SecurityFilterChain` `@Bean`.
+`OAuth2TokenRevocationEndpointFilter` is the `Filter` that processes OAuth2 revocation requests.
+
+`OAuth2TokenRevocationEndpointFilter` is configured with the following defaults:
+
+* `*AuthenticationConverter*` -- An internal implementation that returns the `OAuth2TokenRevocationAuthenticationToken`.
+* `*AuthenticationManager*` -- An `AuthenticationManager` composed of `OAuth2TokenRevocationAuthenticationProvider`.
+* `*AuthenticationSuccessHandler*` -- An internal implementation that handles an "`authenticated`" `OAuth2TokenRevocationAuthenticationToken` and returns the OAuth2 revocation response.
+* `*AuthenticationFailureHandler*` -- An internal implementation that uses the `OAuth2Error` associated with the `OAuth2AuthenticationException` and returns the `OAuth2Error` response.

 [[oauth2-authorization-server-metadata-endpoint]]
 == OAuth2 Authorization Server Metadata Endpoint