Author: buildbot
Date: Mon Nov 7 11:47:36 2016
New Revision: 1000649
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oidc.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oidc.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oidc.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oidc.html Mon Nov 7 11:47:36
2016
@@ -117,11 +117,11 @@ Apache CXF -- JAX-RS OIDC
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1472215619602 {padding: 0px;}
-div.rbtoc1472215619602 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1472215619602 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1478519220343 {padding: 0px;}
+div.rbtoc1478519220343 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1478519220343 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1472215619602">
+/*]]>*/</style></p><div class="toc-macro rbtoc1478519220343">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOIDC-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOIDC-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSOIDC-IdTokenandUserInfo">IdToken and
UserInfo</a></li><li><a shape="rect" href="#JAX-RSOIDC-OIDCIDPsupport">OIDC IDP
support</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</a></li><li><a
shape="rect" href="#JAX-RSOIDC-ImplicitFlow">Implicit Flow</a></li><li><a
shape="rect" href="#JAX-RSOIDC-HybridFlow">Hybrid Flow</a></li></ul>
@@ -135,7 +135,7 @@ div.rbtoc1472215619602 li {margin-left:
<artifactId>cxf-rt-rs-security-sso-oidc</artifactId>
<version>3.1.7</version>
</dependency></pre>
-</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and
UserInfo</h1><p><a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken";
rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It
provides a collection of claims describing the authenticated user. IdToken is a
secured <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken";>JWT
token</a> which is <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature";>JWS-signed</a>
and/or <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption";>JWE-encrypted</a>
by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java";
rel="nofollow"><span
class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
<p>One way to populate it is to register a custom <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java";
rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or
OidcImplicitService. For example, <a shape="rect"
href="https://cxf.apache.org/fediz-oidc.html";>Fediz OIDC</a> uses the <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java";
rel="nofollow">following SubjectCreator:</a> it accesses a user principal
prepared by Fediz Authenticators and creates IdToken by converting an already
available SAML token to IdToken and sets it on <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSub
ject.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal
may already have a prepared IdToken. </p><p>The other approach is to
create IdToken in a <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider";>custom
OAuthDataProvider</a> at the moment a code grant or access token is persisted.
In this case IdToken will need to be populated first and then converted to
either JWS or JWE sequence and saved as a grant or token "id_token" property:
if it is a code flow then set it as a grant property at the moment the grant is
persisted, if it is the implicit flow - set it as a token property at the
moment the token is persisted. This approach is a bit more involved but
creating a JWS or JWS IdToken representations with <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html";>CXF JOSE</a> is
straightforward.   </p><p>In general the way IdToken is created is
container/implementation specific. Creati
ng IdToken is the main requirement for integrating CXF OIDC code with the 3rd
party container.</p><p>Finally, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java";
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService";>AccessTokenService</a>
to complete the authorization code flow) or <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140";
rel="nofollow">OidcImplicitService</a> can ask <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java";
rel="nofollow">IdTokenProvider</a> to create IdToken at the m
oment it needs to be returned to the client application. </p><p>IdToken
can provide enough information for the client application to work with the
current user. However, the client can get more information about the user from
OIDC <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo";
rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides <span
class="pl-smi"> </span><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java";
rel="nofollow"><span
class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a> One
can create and set it at <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java";
rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or
let CXF OIDCUserInfo service create it as described below.</p><h1
id="JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC IDP
code provides JAX-RS services for supporting OIDC <a shape="rect"
class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth";
rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth";
rel="nofollow">Implicit</a> and <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth";
rel="nofollow">Hybrid</a> flows. These services support <a shape="rect"
class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication";
rel="nofollow">all OIDC response types</a>.</p><p>Services for supporting <a
shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo";
rel="nofollow">UserInfo requests</a> and r
eturning IdToken <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#Signing";
rel="nofollow">signature verification keys</a> are also shipped. </p><h2
id="JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</h2><h3
id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java";
rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService";>AuthorizationCodeGrantService</a>
extension which enforces OIDC specific constraints. </p><p>This service
issues a code grant, while <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService";>AccessTokenService</a>
returns Access and Id tokens. </p><p>
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java";
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService";>AccessTokenService</a>)
is where IdToken is actually added to the client response.</p><h3
id="JAX-RSOIDC-ImplicitFlow">Implicit Flow</h3><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java";
rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService
extension which enforces OIDC specific constraints and adds IdToken to the
client response. </p><h3 id="JAX-RSOIDC-HybridFlow">Hybrid Flow</h3><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc
/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java"
rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java";
rel="nofollow">OidcImplicitService</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java";
rel="nofollow">OidcAuthorizationCodeService</a>. </p><h2
id="JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</h2><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java";
rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect"
class="external-link" href="https://g
ithub.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java";
rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the
existing IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java";
rel="nofollow">UserInfoService</a> is accessed by a client which uses the
access token issued to it during the user authentication process.</p><h2
id="JAX-RSOIDC-JWKKeysService">JWK Keys Service</h2><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apach
e/cxf/rs/security/oidc/idp/OidcKeysService.java"
rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public
verification JWK key. By default only a public key is returned but the service
can also be configured for JWK key to include the corresponding  X509
certificate chain too.  Use this service if IdToken is signed by a private
RSA or EC key for the client be able to fetch the verification keys without
having to import them into local key stores.</p><p> </p><h2
id="JAX-RSOIDC-OidcDynamicRegistrationService">OidcDynamicRegistrationService</h2><p> </p><p>This
service is currently a work in progress and may become available in CXF 3.1.8
or CXF 3.1.9. It will support the dynamic client <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7591";
rel="nofollow">registration</a> and <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7592"; rel="nofollow">management</a> with
<a shape="rect" class="external-l
ink" href="http://openid.net/specs/openid-connect-registration-1_0.html";
rel="nofollow">OIDC specific properties</a> being handled
too.</p><p> </p><h2
id="JAX-RSOIDC-OidcConfigurationService">OidcConfigurationService</h2><p> </p><p>This
service is currently a work in progress and may become available in CXF 3.1.8
or CXF 3.1.9. It will support OIDC <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig";
rel="nofollow">server configuration</a> queries at
".well-known/openid-configuration".</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L89";
rel="nofollow"><br clear="none"></a></p><h1 id="JAX-RSOIDC-FedizOIDCIDP">Fediz
OIDC IDP</h1><p><a shape="rect"
href="https://cxf.apache.org/fediz-oidc.html";>Fediz OIDC</a> project provides a
reference integration between CXF OIDC IDP code and Fediz Authentication Syst
em. It has <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html"; rel="nofollow">OIDC
Core</a> supported with a minimum amount of code and configuration.</p><p>It
creates IdToken in a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java";
rel="nofollow">SubjectCreator</a> as described above. Currently it depends on
CXF Ehcache <a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47";
rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is
needed. Besides that it provides a support for managing the client
registrations. <a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml";
rel="nofollow">It registers</a>
OIDC services as JAX-RS endpoints.</p><p>While some implementation details
may change going forward (example, the alternative data provider may get
introduced, etc), for the most part it shows that creating IdToken is what is
really needed to get the container integrated with the CXF OIDC code.</p><h1
id="JAX-RSOIDC-OIDCRPsupport">OIDC RP support</h1><p>OIDC RP client support is
needed for the client application to redirect a user to OIDC IDP, get and
validate IdToken, optionally get UserInfo, and make both IdToken and UserInfo
easily accessible to the client application code.</p><h2
id="JAX-RSOIDC-Demos">Demos</h2><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query";
rel="nofollow">BigQuery</a> <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java";
rel="
nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code
to support interacting with the user, redirecting the user to Google to
authenticate, and validating IdToken returned from Google AccessTokenService
alongside a new access token (OIDC Authorization Code Flow). The demo service
uses IdToken to address the user correctly and the access token to access the
user's resources as authorized by the user.</p><p>For example, the context is
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L51";
rel="nofollow">injected</a> and used to get <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68";
rel="nofollow">the access token</a> and <a shape="rect" class="external-link"
href="https://git
hub.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75"
rel="nofollow">the user info</a>. See <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70";
rel="nofollow">the context</a> with the comments on how to configure RP
filters.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc";
rel="nofollow">BasicOidc</a> <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java";
rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS
server. This server works with an HTTP Browser client which uses Google script
libraries to
get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This
browser client interacts with CXF OIDC RP code to get IdToken validated and
then posts this token to the demo service. Demo service depends on CXF OIDC RP
to have this IdToken easily accessible in its
code</p><p> </p><p> </p></div>
+</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and
UserInfo</h1><p><a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken";
rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It
provides a collection of claims describing the authenticated user. IdToken is a
secured <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken";>JWT
token</a> which is <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature";>JWS-signed</a>
and/or <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption";>JWE-encrypted</a>
by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java";
rel="nofollow"><span
class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
<p>One way to populate it is to register a custom <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java";
rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or
OidcImplicitService. For example, <a shape="rect"
href="https://cxf.apache.org/fediz-oidc.html";>Fediz OIDC</a> uses the <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java";
rel="nofollow">following SubjectCreator:</a> it accesses a user principal
prepared by Fediz Authenticators and creates IdToken by converting an already
available SAML token to IdToken and sets it on <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSub
ject.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal
may already have a prepared IdToken. </p><p>The other approach is to
create IdToken in a <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider";>custom
OAuthDataProvider</a> at the moment a code grant or access token is persisted.
In this case IdToken will need to be populated first and then converted to
either JWS or JWE sequence and saved as a grant or token "id_token" property:
if it is a code flow then set it as a grant property at the moment the grant is
persisted, if it is the implicit flow - set it as a token property at the
moment the token is persisted. This approach is a bit more involved but
creating a JWS or JWS IdToken representations with <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html";>CXF JOSE</a> is
straightforward.   </p><p>In general the way IdToken is created is
container/implementation specific. Creati
ng IdToken is the main requirement for integrating CXF OIDC code with the 3rd
party container.</p><p>Finally, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java";
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService";>AccessTokenService</a>
to complete the authorization code flow) or <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140";
rel="nofollow">OidcImplicitService</a> can ask <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java";
rel="nofollow">IdTokenProvider</a> to create IdToken at the m
oment it needs to be returned to the client application. </p><p>IdToken
can provide enough information for the client application to work with the
current user. However, the client can get more information about the user from
OIDC <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo";
rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides <span
class="pl-smi"> </span><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java";
rel="nofollow"><span
class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a> One
can create and set it at <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java";
rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or
let CXF OIDCUserInfo service create it as described below.</p><h1
id="JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC IDP
code provides JAX-RS services for supporting OIDC <a shape="rect"
class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth";
rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth";
rel="nofollow">Implicit</a> and <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth";
rel="nofollow">Hybrid</a> flows. These services support <a shape="rect"
class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication";
rel="nofollow">all OIDC response types</a>.</p><p>Services for supporting <a
shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo";
rel="nofollow">UserInfo requests</a> and r
eturning IdToken <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#Signing";
rel="nofollow">signature verification keys</a> are also shipped. </p><h2
id="JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</h2><h3
id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java";
rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService";>AuthorizationCodeGrantService</a>
extension which enforces OIDC specific constraints. </p><p>This service
issues a code grant, while <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService";>AccessTokenService</a>
returns Access and Id tokens. </p><p>
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java";
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService";>AccessTokenService</a>)
is where IdToken is actually added to the client response.</p><h3
id="JAX-RSOIDC-ImplicitFlow">Implicit Flow</h3><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java";
rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService
extension which enforces OIDC specific constraints and adds IdToken to the
client response. </p><h3 id="JAX-RSOIDC-HybridFlow">Hybrid Flow</h3><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc
/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java"
rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java";
rel="nofollow">OidcImplicitService</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java";
rel="nofollow">OidcAuthorizationCodeService</a>. </p><h2
id="JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</h2><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java";
rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect"
class="external-link" href="https://g
ithub.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java";
rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the
existing IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java";
rel="nofollow">UserInfoService</a> is accessed by a client which uses the
access token issued to it during the user authentication process.</p><h2
id="JAX-RSOIDC-JWKKeysService">JWK Keys Service</h2><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apach
e/cxf/rs/security/oidc/idp/OidcKeysService.java"
rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public
verification JWK key. By default only a public key is returned but the service
can also be configured for JWK key to include the corresponding  X509
certificate chain too.  Use this service if IdToken is signed by a private
RSA or EC key for the client be able to fetch the verification keys without
having to import them into local key stores.</p><p> </p><h2
id="JAX-RSOIDC-OidcDynamicRegistrationService">OidcDynamicRegistrationService</h2><p> </p><p>This
service is available starting from CXF 3.1.8. It supports the dynamic client
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7591"; rel="nofollow">registration</a> and
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7592"; rel="nofollow">management</a> with
<a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-
registration-1_0.html" rel="nofollow">OIDC specific properties</a> being
handled too. At the moment some of the advanced registration properties are not
yet processed and linked to the way the core OIDC services operate but the
service will be enhanced as needed going forward.</p><p> </p><h2
id="JAX-RSOIDC-OidcConfigurationService">OidcConfigurationService</h2><p> </p><p>This
service is available starting from CXF 3.1.8. It supports OIDC <a shape="rect"
class="external-link"
href="http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig";
rel="nofollow">server configuration</a> queries at
".well-known/openid-configuration".</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L89";
rel="nofollow"><br clear="none"></a></p><h1 id="JAX-RSOIDC-FedizOIDCIDP">Fediz
OIDC IDP</h1><p><a shape="rect"
href="https://cxf.apache.org/fediz-oidc.html";>Fediz OIDC</a> proj
ect provides a reference integration between CXF OIDC IDP code and Fediz
Authentication System. It has <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html"; rel="nofollow">OIDC
Core</a> supported with a minimum amount of code and configuration.</p><p>It
creates IdToken in a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java";
rel="nofollow">SubjectCreator</a> as described above. Currently it depends on
CXF Ehcache <a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47";
rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is
needed. Besides that it provides a support for managing the client
registrations. <a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/s
ervices/oidc/src/main/webapp/WEB-INF/applicationContext.xml" rel="nofollow">It
registers</a> OIDC services as JAX-RS endpoints.</p><p>While some
implementation details may change going forward (example, the alternative data
provider may get introduced, etc), for the most part it shows that creating
IdToken is what is really needed to get the container integrated with the CXF
OIDC code.</p><h1 id="JAX-RSOIDC-OIDCRPsupport">OIDC RP support</h1><p>OIDC RP
client support is needed for the client application to redirect a user to OIDC
IDP, get and validate IdToken, optionally get UserInfo, and make both IdToken
and UserInfo easily accessible to the client application code.</p><h2
id="JAX-RSOIDC-Demos">Demos</h2><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query";
rel="nofollow">BigQuery</a> <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/
release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java"
rel="nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP
code to support interacting with the user, redirecting the user to Google to
authenticate, and validating IdToken returned from Google AccessTokenService
alongside a new access token (OIDC Authorization Code Flow). The demo service
uses IdToken to address the user correctly and the access token to access the
user's resources as authorized by the user.</p><p>For example, the context is
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L51";
rel="nofollow">injected</a> and used to get <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68";
rel
="nofollow">the access token</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75";
rel="nofollow">the user info</a>. See <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70";
rel="nofollow">the context</a> with the comments on how to configure RP
filters.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc";
rel="nofollow">BasicOidc</a> <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java";
rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS
server. This server works with an HTTP Browser client which uses Google script
libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit
flow). This browser client interacts with CXF OIDC RP code to get IdToken
validated and then posts this token to the demo service. Demo service depends
on CXF OIDC RP to have this IdToken easily accessible in its
code</p><p> </p><p> </p></div>
</div>
<!-- Content -->
</td>
