Author: buildbot
Date: Tue Sep 8 11:47:32 2015
New Revision: 964746
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue Sep 8 11:47:32
2015
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS:
OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1435780195621 {padding: 0px;}
-div.rbtoc1435780195621 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1435780195621 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1441712818230 {padding: 0px;}
+div.rbtoc1441712818230 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1441712818230 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1435780195621">
+/*]]>*/</style></p><div class="toc-macro rbtoc1441712818230">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client
Registration</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization
View</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in
Authorization Form</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
@@ -133,7 +133,7 @@ div.rbtoc1435780195621 li {margin-left:
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-HAWK">HAWK</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-MAC">MAC</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Encryptedtokens">Encrypted tokens</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-UsingSecretKeys">Using Secret Keys</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-UsingCertificates">Using
Certificates</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-UsingCertificatesandSecretKeys">Using Certificates and
Secret Keys</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-EncryptedJWTTokens">Encrypted JWT Tokens</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSOAuth2-Customtokens">Custom
tokens</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and
Audience</a></li></ul>
-</li><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul>
+</li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</a></li><li><a
shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul>
</li><li><a shape="rect"
href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource
Owner Password Credentials</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul>
</li><li><a shape="rect"
href="#JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow
Filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse
Filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access
tokens</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a>
@@ -150,7 +150,7 @@ div.rbtoc1435780195621 li {margin-left:
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
different access points to end users and clients</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign
On</a></li></ul>
</li></ul>
-</div><h1 id="JAX-RSOAuth2-Introduction">Introduction</h1><p>New:</p><ul
style="list-style-type: square;"><li>CXF 3.0.0-milestone2 makes it simpler to
encrypt the token and other OAuth2 server model state</li><li>OAuthDataProvider
has a new revokeToken() method added  to support the client-driven token
revocation</li><li>AccessTokenValidationService has been enhanced to ensure the
validation can proceed only if the authenticated Principal is available. 
 </li><li>OAuthRequestInterceptor has been added to make it easier for
non-JAXRS endpoints to use OAuth2 tokens</li></ul><p>CXF provides the
implementation of <a shape="rect" class="external-link"
href="http://tools.ietf.org/html/rfc6749"; rel="nofollow">OAuth 2.0</a>. See
also the <a shape="rect" href="jax-rs-oauth.html">JAX-RS OAuth</a> page for
information about OAuth 1.0.</p><p>Authorization Code, Implicit, Client
Credentials, Resource Owner Password Credentials, Refresh Token and SAML2
Assertions grants are current
ly supported.</p><p>Custom grant handlers can be registered.</p><p>OAuth2 is a
new protocol which offers a complex yet elegant solution toward helping end
users (resource owners) authorize third-party providers to access their
resources.</p><p>The OAuth2 flow which is closely related to the original OAuth
1.0 3-leg flow is called Authorization Code and involves 3 parties: the end
user, the third party service (client) and the resource server which is
protected by OAuth2 filters. Typically a client offers a service feature that
an end user requests and which requires the former to access one or more
protected resources on behalf of this user which are located at the resource
server. For example, the client may need to access the end user's photos in
order to print them and post to the user or read and possibly update a user's
calendar in order to make a booking.</p><p>In order to make it happen, the
third-party service application/client needs to register itself with the OAuth2
serve
r. This happens out-of-band and after the registration the client gets back a
client key and secret pair. Typically the client is expected to provide the
name and description of the application, the application logo URI, one or more
redirect URIs, and other information that may help the OAuth2 authorization
server to identify this client to the end user at the authorization
time.</p><p>From then on, the authorization code flow works like this:<br
clear="none"> 1. End User requests the third-party service using a
browser.</p><p>2. The client redirects the end user to OAuth2 Authorization
Service, adding its client id, the state, redirect URI and the optional scope
to the target URI. The state parameter represents the current end user's
request, redirect URI - where the authorization code is expected to be returned
to, and the scope is the list of opaque permissions that the client needs in
order to access the protected resources.</p><p>3. Authorization Service will
retrieve the infor
mation about the client using its client id, build an HTML form and return it
to the end user. The form will ask the user if a given third-party application
can be allowed to access some resources on behalf of this user.</p><p>4. If the
user approves it then Authorization Service will generate an authorization code
and redirect the user back to the redirect uri provided by the client, also
adding a state parameter to the redirect URI.</p><p>5. The client requests an
access token from OAuth2 Access Token Service by providing an authorization
code grant.</p><p>6. After getting an access token token, the service finally
proceeds with accessing the current user's resources and completes the user's
request.</p><p>As you can see the flow can be complex yet it is very effective.
A number of issues may need to be taken care along the way such as managing
expired tokens, making sure that the OAuth2 security layer is functioning
properly and is not interfering with the end user itself trying
to access its own resources, etc.</p><p>Please check the <a shape="rect"
class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-v2";
rel="nofollow">specification</a> and the <a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/OAuth#OAuth_2.0"; rel="nofollow">Wikipedia
article</a> as well as other resources available on the WEB for more
information you may need to know about OAuth2.</p><p>CXF JAX-RS gives the best
effort to making this process as simple as possible and requiring only a
minimum effort on behalf of OAuth2 server developers. It also offers the
utility code for greatly simplifying the way the third-party application can
interact with the OAuth2 service endpoints.</p><h1
id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h1 id="JAX-RSOAuth2-Introduction">Introduction</h1><p>New:</p><ul
style="list-style-type: square;"><li>OAuth2 module now depends on CXF
cxf-rt-rs-security-jose module with the utility code in place to support a
number of OAuth2 features depending on JOSE <br clear="none"><br
clear="none"></li></ul><p>CXF provides the implementation of <a shape="rect"
class="external-link" href="http://tools.ietf.org/html/rfc6749";
rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect"
href="jax-rs-oauth.html">JAX-RS OAuth</a> page for information about OAuth
1.0.</p><p>Authorization Code, Implicit, Client Credentials, Resource Owner
Password Credentials, Refresh Token and SAML2 Assertions grants are currently
supported.</p><p>Custom grant handlers can be registered.</p><p>OAuth2 is a new
protocol which offers a complex yet elegant solution toward helping end users
(resource owners) authorize third-party providers to access their
resources.</p><p>The OAuth2 flow which is closely related to
the original OAuth 1.0 3-leg flow is called Authorization Code and involves 3
parties: the end user, the third party service (client) and the resource server
which is protected by OAuth2 filters. Typically a client offers a service
feature that an end user requests and which requires the former to access one
or more protected resources on behalf of this user which are located at the
resource server. For example, the client may need to access the end user's
photos in order to print them and post to the user or read and possibly update
a user's calendar in order to make a booking.</p><p>In order to make it happen,
the third-party service application/client needs to register itself with the
OAuth2 server. This happens out-of-band and after the registration the client
gets back a client key and secret pair. Typically the client is expected to
provide the name and description of the application, the application logo URI,
one or more redirect URIs, and other information that may help the
OAuth2 authorization server to identify this client to the end user at the
authorization time.</p><p>From then on, the authorization code flow works like
this:<br clear="none"> 1. End User requests the third-party service using a
browser.</p><p>2. The client redirects the end user to OAuth2 Authorization
Service, adding its client id, the state, redirect URI and the optional scope
to the target URI. The state parameter represents the current end user's
request, redirect URI - where the authorization code is expected to be returned
to, and the scope is the list of opaque permissions that the client needs in
order to access the protected resources.</p><p>3. Authorization Service will
retrieve the information about the client using its client id, build an HTML
form and return it to the end user. The form will ask the user if a given
third-party application can be allowed to access some resources on behalf of
this user.</p><p>4. If the user approves it then Authorization Service will ge
nerate an authorization code and redirect the user back to the redirect uri
provided by the client, also adding a state parameter to the redirect
URI.</p><p>5. The client requests an access token from OAuth2 Access Token
Service by providing an authorization code grant.</p><p>6. After getting an
access token token, the service finally proceeds with accessing the current
user's resources and completes the user's request.</p><p>As you can see the
flow can be complex yet it is very effective. A number of issues may need to be
taken care along the way such as managing expired tokens, making sure that the
OAuth2 security layer is functioning properly and is not interfering with the
end user itself trying to access its own resources, etc.</p><p>Please check the
<a shape="rect" class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-v2";
rel="nofollow">specification</a> and the <a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/OAuth#OAuth_2.0"; rel="nof
ollow">Wikipedia article</a> as well as other resources available on the WEB
for more information you may need to know about OAuth2.</p><p>CXF JAX-RS gives
the best effort to making this process as simple as possible and requiring only
a minimum effort on behalf of OAuth2 server developers. It also offers the
utility code for greatly simplifying the way the third-party application can
interact with the OAuth2 service endpoints.</p><h1
id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-oauth2</artifactId>
@@ -362,7 +362,7 @@ return token;
// decrypt a token given a token key
ModelEncryptionSupport.decryptAccessToken(this, encryptedToken, key);</pre>
-</div></div><pre> </pre><h5 id="JAX-RSOAuth2-UsingCertificates">Using
Certificates</h5><p>Working with the certificates to encrypt the state is
similar to working with the symmetric keys. Please check the code examples in
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java";>EncryptionsUtilsTest</a>.</p><p>One
needs to load a Certificate, use its public key to encrypt and the private key
to decrypt. using the certificate to encrypt the whole serialized token
representation might be marginally slower compared to using the symmetric keys,
however given that the sequence is about 300+ characters maximum the
performance can be reasonable.</p><h5
id="JAX-RSOAuth2-UsingCertificatesandSecretKeys">Using Certificates and Secret
Keys</h5><p>The other approach is to generate a secret key, use this key to
encrypt the token and then use the certi
ficate to encrypt the key. The encrypted token and the actual encrypted secret
key can be returned to the client as a token parameter, for example, as a 'key'
parameter. This 'key' parameter will need to be returned to the OAuth2 server,
via the HTTP header or the custom authorization scheme. The data providers
using this mechanism will need to implement AccessTokenValidator and decrypt
the encrypted key with the private certificate key, and decrypt the token with
the decrypted secret key. Please check the code example in <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java";>EncryptionsUtilsTest</a>.</p><h5
id="JAX-RSOAuth2-EncryptedJWTTokens">Encrypted JWT Tokens</h5><p>JWT Token can
be JWE-encrypted and the encrypted string passed to ServerAccessToken as access
token id parameter.</p><p>See <a shape="rect" href="jax-rs-jose.html">JAX-RS
Jose</a> wiki page for more information on how to sign and encrypt JSON Web
Tokens.</p><h4 id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If needed,
users can use their own custom token types, with the only restriction that the
custom token type implementations have to extend
org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.</p><h4
id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and
Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00";
rel="nofollow">audience</a> parameter is supported during the client token
requests.</p><h3
id="JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</h3><p>The
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java";>AccessTokenValidationService</a>
is a CXF spe
cific OAuth2 service for accepting the remote access token validation
requests. Typically, OAuthRequestFilter (see on it below) may choose to
impersonate itself as a third-party client and will ask
AccessTokenValidationService to return the information relevant to the current
access token, before setting up a security context. More on it below.</p><h2
id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java";>TokenRevocationService</a>
is a simple OAuth2 service supporting the clients wishing to revoke the access
or refresh tokens they own themselves, please see <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09";
rel="nofollow">OAuth2 Token Revocation Draft</a> for more
information.</p><p>TokenRevocationService and Ac
cessTokenService share the same code which enforces that the clients have been
correctly authenticated.</p><p>Note, OAuthDataProvider implementations
processing a revocation request should simply ignore the invalid tokens as
recommended by the specification which will let TokenRevocationService return
HTTP 200 which is done to minimize a possible attack surface (specifically for
bad clients not to see if their requests failed or succeeded) and throw the
exceptions only if the token revocation feature is not currently
supported.</p><h2 id="JAX-RSOAuth2-SupportedGrants">Supported Grants</h2><p>The
following subsections briefly describe how the well-known grant types can be
supported on the server side. Please also check the "Client Side Support"
section on how to use the related <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";>AccessToke
nGrant</a> implementations to request the access tokens.</p><h3
id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As described
above, <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java";>AuthorizationCodeGrantService</a>
service and <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";>AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Authorization Code
flow.</p><p>The code that the client receives in the end of the redirection
process will need to be exchanged for a new access token with
AccessTokenService. CXF-based clients can use a helper <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/tr
unk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same
way Authorization Code grant is except that the response to the client running
within a web browser is formatted differently, using URI fragments.</p><p><a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java";>ImplicitGrantService</a>
service and <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";>AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Impli
cit flow.</p><p>Note the only difference is the use of ImplicitGrantService
instead of AuthorizationCodeGrantService.</p><p>Also note that when an Implicit
grant client (running within a browser) replaces the code grant for a new
access token and tries to access the end user's resource, Cross Origin Resource
Sharing (CORS) support will most likely need to be enabled on the end user's
resource server.<br clear="none"> The simplest approach is to register a CXF <a
shape="rect" href="http://cxf.apache.org/docs/jax-rs-cors.html";>CORS
filter</a>, right before OAuth2 filter (see on it below).</p><p>Starting from
CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered
Client id to the browser-hosted client. This is recommended so that the client
can verify that the token is meant to be delivered to this client.</p><h3
id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3><p>Register <a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf
/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java">ClientCredentialsGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p><p>CXF-based
clients can use a helper <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java";>ClientCredentialsGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password
Credentials</h3><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java";>ResourceOwnerGrantHandler</a>
handler with AccessTokenService for this grant be supported.</
p><p>CXF-based clients can use a helper <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java";>ResourceOwnerGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The client can issue a
refresh token grant if the current access token it owns has expired or been
revoked and the refresh token was issued alongside with the access token which
is now invalid and get the new, 'refreshed' access token. This can allow the
client to avoid seeking a new authorization approval from the end
user.</p><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java";>RefreshTokenGrantHandler</a>
handler with AccessToken
Service for this grant be supported. Note this grant handler is only useful
for refreshing the existing access token, so one or more of the other grant
handlers (Authorization Code, Implicit, etc) will also have to be registered
with AccessTokenService.</p><p>CXF-based clients can use a helper <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrant.java";>RefreshTokenGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Assertions">Assertions</h3><p>SAML2 Bearer and JWT assertions
can be used as token grants.</p><p>Please see <a shape="rect"
href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for
more information.</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If
you need to customize the way the well-known grant requests are handled then
consider extending one of the gra
nt handlers listed in the previous sub-sections.</p><p>Alternatively create a
custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java";>AccessTokenGrantHandler</a>
and register it with AccessTokenService. Additionally, consider providing a
related <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";>AccessTokenGrant</a>
implementation for making it easy for the client code to request a new access
token with this custom grant.</p><h2
id="JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</h2><p><a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth
2/provider/AuthorizationCodeRequestFilter.java;h=646861c1ea3f9effad74bd234c0576f638009932;hb=HEAD">AuthorizationCodeRequestFilter</a>
implementations can be registered with AuthorizationCodeService in order to
pre-process code requests. For example, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java;h=a318c2c405c813e9c07f1b22c4b2afbfccd6101e;hb=HEAD";>JwtRequestCodeFilter</a>
can be used to process JWS-signed or JWE-encrypted code requests.</p><p><a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java;h=f363a461ed21be5a2b87584271bcce2933402ab6;hb=HEAD";>AuthorizationCodeResponseFilter</a>
implementations can be registered with AuthorizationCo
deService in order to post-process code responses.</p><h2
id="JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse
Filters</h2><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java;h=f6058e6d2d2aa54543514cbfe2d0d9951a30db68;hb=HEAD";>AccessTokenResponseFilter</a>
implementations can be registered with AccessTokenService in order to
post-process access token responses. For example,  OIDC id_token can be
added to a response with a <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoCodeResponseFilter.java;h=42bf9ff41004a32903e6839495d9edde5963c2e3;hb=HEAD";>filter</a>.
Filters can also calculate an access token response signature, etc.</p><h2
id="JAX-RSOAuth2-PreAuthorize
daccesstokens">PreAuthorized access tokens</h2><p>When working with the flows
which require the end users/resource owners explicitly authorizing clients (for
example, as in the case of redirection-based flows), using pre-authorized
access tokens is one option to minimize the need for the end-user intervention.
<br clear="none"> OAuthDataProvider is always checked first if the
pre-authorized access token for a given Client exists and if yes then it will
be returned immediately, without starting the authorization process involving
the end user (as required by some flows).</p><p>Consider providing a user
interface which will let the end users/resource owners to pre-authorize
specific clients early. Note, a CXF service for supporting the users
pre-authorizing the clients or revoking the tokens for some of the clients may
be introduced in the future.</p><p>Also note that using a refresh token grant
may further help with minimizing the end user involvement, in cases when the
current acces
s token has expired.</p><h2
id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can
register custom scopes they will be expected to use and then avoid specifying
the scopes when requesting the code grants or access tokens.<br clear="none">
Alternatively it makes it easier to support so called wild-card scopes. For
example, a client pre-registers a scope "update" and actually uses an
"update-7" scope: Redirection-based services and access token grants can be
configured to do a partial scope match, in this case, validate that "update-7"
starts from "update"</p><h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a
lot with setting up an OAuth server. As you can see from the above sections,
these services rely on a custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth
2/provider/OAuthDataProvider.java">OAuthDataProvider</a>
implementation.</p><p>The main task of OAuthDataProvider is to persist and
generate access tokens. Additionally, as noted above,
AuthorizationCodeDataProvider needs to persist and remove the code grant
registrations. The way it's done is really application-specific. Consider
starting with a basic memory based implementation and then move on to keeping
the data in some DB.</p><p>Note that OAuthDataProvider supports retrieving <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java";>Client</a>
instances but it has no methods for creating or removing Clients. The reason
for it is that the process of registering third-party clients is very specific
to a particular OAuth2 application, so CXF does not offer a registration
support service and hence OAuthDataProvider has no Client create/update
methods. Y
ou will likely need to do something like this:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><pre> </pre><h5 id="JAX-RSOAuth2-UsingCertificates">Using
Certificates</h5><p>Working with the certificates to encrypt the state is
similar to working with the symmetric keys. Please check the code examples in
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java";>EncryptionsUtilsTest</a>.</p><p>One
needs to load a Certificate, use its public key to encrypt and the private key
to decrypt. using the certificate to encrypt the whole serialized token
representation might be marginally slower compared to using the symmetric keys,
however given that the sequence is about 300+ characters maximum the
performance can be reasonable.</p><h5
id="JAX-RSOAuth2-UsingCertificatesandSecretKeys">Using Certificates and Secret
Keys</h5><p>The other approach is to generate a secret key, use this key to
encrypt the token and then use the certi
ficate to encrypt the key. The encrypted token and the actual encrypted secret
key can be returned to the client as a token parameter, for example, as a 'key'
parameter. This 'key' parameter will need to be returned to the OAuth2 server,
via the HTTP header or the custom authorization scheme. The data providers
using this mechanism will need to implement AccessTokenValidator and decrypt
the encrypted key with the private certificate key, and decrypt the token with
the decrypted secret key. Please check the code example in <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java";>EncryptionsUtilsTest</a>.</p><h5
id="JAX-RSOAuth2-EncryptedJWTTokens">Encrypted JWT Tokens</h5><p>JWT Token can
be JWE-encrypted and the encrypted string passed to ServerAccessToken as access
token id parameter.</p><p>See <a shape="rect" href="jax-rs-jose.html">JAX-RS
Jose</a> wiki page for more information on how to sign and encrypt JSON Web
Tokens.</p><h4 id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If needed,
users can use their own custom token types, with the only restriction that the
custom token type implementations have to extend
org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.</p><h4
id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and
Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00";
rel="nofollow">audience</a> parameter is supported during the client token
requests.</p><h3
id="JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</h3><p>org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider
is a JAX-RS MessageBodyWriter which supports returning ClientAccessToken and
OAuthError representations to the client in a JSON format required by OAuth2
spec. It is also a JAX-RS MessageBodyReader that is used by client OA
uthClientUtils (see below) to read the responses from
AccessTokenService.</p><p>Register it as a provider with a JAXRS
AccessTokenService endpoint.</p><p>Alternatively, if you prefer, a custom
MessageBodyWriter implementation can be registered instead.</p><p> </p><h3
id="JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</h3><p>The
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java";>AccessTokenValidationService</a>
is a CXF specific OAuth2 service for accepting the remote access token
validation requests. Typically, OAuthRequestFilter (see on it below) may choose
to impersonate itself as a third-party client and will ask
AccessTokenValidationService to return the information relevant to the current
access token, before setting up a security context. More on it below.</p><h2
id="JAX-RSOAuth2-TokenRev
ocationService">TokenRevocationService</h2><p><a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java";>TokenRevocationService</a>
is a simple OAuth2 service supporting the clients wishing to revoke the access
or refresh tokens they own themselves, please see <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09";
rel="nofollow">OAuth2 Token Revocation Draft</a> for more
information.</p><p>TokenRevocationService and AccessTokenService share the same
code which enforces that the clients have been correctly
authenticated.</p><p>Note, OAuthDataProvider implementations processing a
revocation request should simply ignore the invalid tokens as recommended by
the specification which will let TokenRevocationService return HTTP 200 which
is done to minimize a possible attack surface (specifically f
or bad clients not to see if their requests failed or succeeded) and throw the
exceptions only if the token revocation feature is not currently
supported.</p><h2 id="JAX-RSOAuth2-SupportedGrants">Supported Grants</h2><p>The
following subsections briefly describe how the well-known grant types can be
supported on the server side. Please also check the "Client Side Support"
section on how to use the related <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";>AccessTokenGrant</a>
implementations to request the access tokens.</p><h3
id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As described
above, <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java";>AuthorizationCodeGr
antService</a> service and <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";>AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Authorization Code
flow.</p><p>The code that the client receives in the end of the redirection
process will need to be exchanged for a new access token with
AccessTokenService. CXF-based clients can use a helper <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java";>AuthorizationCodeGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same
way Authorization Code grant is except that the response to the client running
within a web browser is formatted differently, using URI fragments.</p><p><a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java";>ImplicitGrantService</a>
service and <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";>AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Implicit flow.</p><p>Note the
only difference is the use of ImplicitGrantService instead of
AuthorizationCodeGrantService.</p><p>Also note that when an Implicit grant
client (running within a browser) replaces the code grant for a new access
token and tries to access the end user's resource, Cross Origin Resource
Sharing (CORS) support will most likely need to be enabled on the end
user's resource server.<br clear="none"> The simplest approach is to register
a CXF <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-cors.html";>CORS
filter</a>, right before OAuth2 filter (see on it below).</p><p>Starting from
CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered
Client id to the browser-hosted client. This is recommended so that the client
can verify that the token is meant to be delivered to this client.</p><h3
id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3><p>Register <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java";>ClientCredentialsGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p><p>CXF-based
clients can use a helper <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/securit
y/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java">ClientCredentialsGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password
Credentials</h3><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java";>ResourceOwnerGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p><p>CXF-based
clients can use a helper <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java";>ResourceOwnerGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-RefreshToken">Refresh Token
</h3><p>The client can issue a refresh token grant if the current access token
it owns has expired or been revoked and the refresh token was issued alongside
with the access token which is now invalid and get the new, 'refreshed' access
token. This can allow the client to avoid seeking a new authorization approval
from the end user.</p><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java";>RefreshTokenGrantHandler</a>
handler with AccessTokenService for this grant be supported. Note this grant
handler is only useful for refreshing the existing access token, so one or more
of the other grant handlers (Authorization Code, Implicit, etc) will also have
to be registered with AccessTokenService.</p><p>CXF-based clients can use a
helper <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trun
k/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrant.java">RefreshTokenGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Assertions">Assertions</h3><p>SAML2 Bearer and JWT assertions
can be used as token grants.</p><p>Please see <a shape="rect"
href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for
more information.</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If
you need to customize the way the well-known grant requests are handled then
consider extending one of the grant handlers listed in the previous
sub-sections.</p><p>Alternatively create a custom <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java";>AccessTokenGrantHandler</a>
and register it with AccessTokenService. Additionally, con
sider providing a related <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";>AccessTokenGrant</a>
implementation for making it easy for the client code to request a new access
token with this custom grant.</p><h2
id="JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</h2><p><a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeRequestFilter.java;h=646861c1ea3f9effad74bd234c0576f638009932;hb=HEAD";>AuthorizationCodeRequestFilter</a>
implementations can be registered with AuthorizationCodeService in order to
pre-process code requests. For example, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-paren
t/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java;h=a318c2c405c813e9c07f1b22c4b2afbfccd6101e;hb=HEAD">JwtRequestCodeFilter</a>
can be used to process JWS-signed or JWE-encrypted code requests.</p><p><a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java;h=f363a461ed21be5a2b87584271bcce2933402ab6;hb=HEAD";>AuthorizationCodeResponseFilter</a>
implementations can be registered with AuthorizationCodeService in order to
post-process code responses.</p><h2
id="JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse
Filters</h2><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java;h=f6058e6d2d2aa
54543514cbfe2d0d9951a30db68;hb=HEAD">AccessTokenResponseFilter</a>
implementations can be registered with AccessTokenService in order to
post-process access token responses. For example,  OIDC id_token can be
added to a response with a <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoCodeResponseFilter.java;h=42bf9ff41004a32903e6839495d9edde5963c2e3;hb=HEAD";>filter</a>.
Filters can also calculate an access token response signature, etc.</p><h2
id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access
tokens</h2><p>When working with the flows which require the end users/resource
owners explicitly authorizing clients (for example, as in the case of
redirection-based flows), using pre-authorized access tokens is one option to
minimize the need for the end-user intervention. <br clear="none">
OAuthDataProvider is always checked first if the
pre-authorized access token for a given Client exists and if yes then it will
be returned immediately, without starting the authorization process involving
the end user (as required by some flows).</p><p>Consider providing a user
interface which will let the end users/resource owners to pre-authorize
specific clients early. Note, a CXF service for supporting the users
pre-authorizing the clients or revoking the tokens for some of the clients may
be introduced in the future.</p><p>Also note that using a refresh token grant
may further help with minimizing the end user involvement, in cases when the
current access token has expired.</p><h2
id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can
register custom scopes they will be expected to use and then avoid specifying
the scopes when requesting the code grants or access tokens.<br clear="none">
Alternatively it makes it easier to support so called wild-card scopes. For
example, a client pre-registers a scope
"update" and actually uses an "update-7" scope: Redirection-based services
and access token grants can be configured to do a partial scope match, in this
case, validate that "update-7" starts from "update"</p><h2
id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a
lot with setting up an OAuth server. As you can see from the above sections,
these services rely on a custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";>OAuthDataProvider</a>
implementation.</p><p>The main task of OAuthDataProvider is to persist and
generate access tokens. Additionally, as noted above,
AuthorizationCodeDataProvider needs to persist and remove the code grant
registrations. The way it's done is really application-specific. Consider
starting with a basic memory based implementat
ion and then move on to keeping the data in some DB.</p><p>Note that
OAuthDataProvider supports retrieving <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java";>Client</a>
instances but it has no methods for creating or removing Clients. The reason
for it is that the process of registering third-party clients is very specific
to a particular OAuth2 application, so CXF does not offer a registration
support service and hence OAuthDataProvider has no Client create/update
methods. You will likely need to do something like this:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">public class CustomOAuthProvider implements
OAuthDataProvider {
public Client registerClient(String applicationName, String applicationURI,
...) {}
public void removeClient(String cliendId) {}
