[jira] [Commented] (CXF-4671) [OAuth2] Add option to not have user intervention

Mon, 03 Dec 2012 11:36:00 -0800 

    [ 
https://issues.apache.org/jira/browse/CXF-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13508965#comment-13508965
 ] 

Steven Tippetts commented on CXF-4671:
--------------------------------------

I also added a snippet of code in my convertScopeToPermissions method of my 
ImplicitDataProvider object to check the requested scopes against a collection 
of allowed scopes that I store on a per client basis by overriding the Client 
object and adding an allowedScopes property.

Although, as I look now at the code, I could probably add scope + "_status" 
parameters of the allowed scopes prior to the call to 
super.completeAuthorization(params) and remove the check in 
convertScopeToPermissions.
                
> [OAuth2] Add option to not have user intervention
> -------------------------------------------------
>
>                 Key: CXF-4671
>                 URL: https://issues.apache.org/jira/browse/CXF-4671
>             Project: CXF
>          Issue Type: Wish
>          Components: JAX-RS Security
>    Affects Versions: 2.7.0
>            Reporter: Steven Tippetts
>
> I'm using the cxf oauth library as a cross domain, non-cookie way to protect 
> my resource server endpoints.  As such, I don't need the user to authorize 
> access to any data.  I know this isn't part of the OAuth 2 spec, but it would 
> be very nice if there were a config setting that would skip the user 
> authorization part.
> Currently, I'm extending RedirectionBasedGrantService and overriding 
> startAuthorization like this:
> {code}
> @Override
> protected Response startAuthorization(MultivaluedMap<String, String> params) {
>   super.startAuthorization(params);
>   HttpSession session = 
> getMessageContext().getHttpServletRequest().getSession();
>   String sessionToken = 
> (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
>   params.add("session_authenticity_token", sessionToken);
>   params.add("oauthDecision", "allow");
>   return super.completeAuthorization(params);
> }
> {code}
> This works ok for me, but it would be nice if it were a part of the library.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to