-
Notifications
You must be signed in to change notification settings - Fork 6.2k
Description
Related to #18004
Currently, to specify a time-sensitive factor, it is needed to create an AuthorizationManagerFactory by way of a static factory that returns a builder:
var passwordIn30m = AuthorizationManagerFactories.multiFactor() .requireFactor( (factor) -> factor .passwordAuthority() .validDuration(Duration.ofMinutes(30)) ) .build();
This can then be used to create rules that include this factor as a basis:
http .authorizeHttpRequests((authorize) -> authorize .requestMatchers("/admin/**").access(passwordIn30m.hasRole("ADMIN")) .anyRequest().authenticated() ) // ...
When just one factor is under consideration, this boilerplate could be reduced in a few ways. One way is to make it simpler to provide just one authority like so:
var passwordIn30m = AuthorizationManagerFactories.hasFactor(PASSWORD_AUTHORITY, Duration.ofMinutes(30)); http .authorizeHttpRequests((authorize) -> authorize .requestMatchers("/admin/**").access(passwordIn30m.hasRole("ADMIN")) .anyRequest().authenticated() ) // ...
Or, AuthorizationManagerFactories could expose the individual authorities:
var passwordIn30m = AuthorizationManagerFactories.hasPasswordFactor((f) -> f.validDuration(Duration.ofMinutes(30))); http .authorizeHttpRequests((authorize) -> authorize .requestMatchers("/admin/**").access(passwordIn30m.hasRole("ADMIN")) .anyRequest().authenticated() ) // ...
I like the idea of having a simpler representation for a single factor since there are use cases other than multi-factor authentication when applications will want to require a time-sensitive factor in order to proceed.
NOTE: This ticket is marked as team-attention since we don't have a clear idea whether to go down any of these routes just yet.