(Cross-posted from users@ in case the relevant devs only listen here). I'm using CXF 2.7.2 and building out a server that will support the various flows, in particular the Authorization Code Grant flow[1]. I'm a bit puzzled, though, about the way that RedirectionBasedGrantService#startAuthorization() expects the end user to have already authenticated to the authorization server. This seems different from the way I've seen OAuth 2 implemented at places like salesforce.com, where the /authorize endpoint allows the user to *both* authenticate themselves (username and password) *and* authorize the particular client.
Was this design intentional? If so, is there a recommended technique to implement this flow that *does* allow a combination of authentication and authorization in a single redirect flow? Craig McClanahan [1] http://tools.ietf.org/html/rfc6749#section-4.1
