Default implementation of the {@code TokenProvider} interface that keeps logintokens in the content repository. As a precondition the configured the user management implementation must provide paths for all {@link org.apache.jackrabbit.api.security.user.User users} that refer toa valid {@link Tree} in the content repository.
Backwards compatibility with Jackrabbit 2.x
For security reasons the nodes storing the token information now have a dedicated node type (rep:Token) which has the following definition:
[rep:Token] > mix:referenceable - rep:token.key (STRING) protected mandatory - rep:token.exp (DATE) protected mandatory - * (UNDEFINED) protected - * (UNDEFINED) multiple protected
Consequently the hash of the token and the expiration time of tokens generated by this provider can no longer be manipulated using regular JCR item modifications.
Existing login tokens generated by Jackrabbit 2.x which are migrated to OAK will still be valid (unless they expire) due to the fact that {@link #getTokenInfo(String)} and the implementation of the {@link TokenInfo}interface will not validate the node type of the token node associated with a given token.