[jira] [Updated] (CXF-6663) Scope based authorization support for OAuth2 RS endpoints

Sergey Beryozkin (JIRA) Wed, 04 Nov 2015 06:17:19 -0800

     [ 
https://issues.apache.org/jira/browse/CXF-6663?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sergey Beryozkin updated CXF-6663:
----------------------------------
    Description: Annotations like @ConfidentialClient, @Scopes("a", "b") should 
 be used in the combinations or separately, ex, this method can only be invoked 
if the client behind this access token is confidential, and/or this client has 
'a' and 'b' scopes approved. OAuth2 filter can already do some fine-grained 
authorization (restrict to specific HTTP verbs or URI subsets) and the RS code 
can use OauthContext to manually check the scopes, the client type, etc, but 
the annotation-based AC would be quite handy too  (was: Annotations like 
@ConfidentialClient, @Scopes("a", "b") should  be used in the combinations or 
separately, ex, this method can only be invoked if the client behind this 
access token is confidential, and/or this client has 'a' and 'b' scopes 
approved. OAuth2 filter can already so some fine-grained authorization 
(restrict to specific HTTP verbs or URI subsets) and the RS code can use 
OauthContext to manually check the scopes, the client type, etc, but the 
annotation-based AC would be quite handy too)

> Scope based authorization support for OAuth2 RS endpoints
> ---------------------------------------------------------
>
>                 Key: CXF-6663
>                 URL: https://issues.apache.org/jira/browse/CXF-6663
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>            Reporter: Sergey Beryozkin
>            Assignee: Sergey Beryozkin
>
> Annotations like @ConfidentialClient, @Scopes("a", "b") should  be used in 
> the combinations or separately, ex, this method can only be invoked if the 
> client behind this access token is confidential, and/or this client has 'a' 
> and 'b' scopes approved. OAuth2 filter can already do some fine-grained 
> authorization (restrict to specific HTTP verbs or URI subsets) and the RS 
> code can use OauthContext to manually check the scopes, the client type, etc, 
> but the annotation-based AC would be quite handy too



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (CXF-6663) Scope based authorization support for OAuth2 RS endpoints

Reply via email to