Author: buildbot
Date: Sun Jan 18 13:47:12 2015
New Revision: 936630
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Sun Jan 18 13:47:12
2015
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS:
OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1419015875847 {padding: 0px;}
-div.rbtoc1419015875847 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1419015875847 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1421588806512 {padding: 0px;}
+div.rbtoc1421588806512 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1421588806512 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1419015875847">
+/*]]>*/</style></p><div class="toc-macro rbtoc1421588806512">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client
Registration</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization
View</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in
Authorization Form</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
@@ -136,14 +136,14 @@ div.rbtoc1419015875847 li {margin-left:
</li><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul>
</li><li><a shape="rect"
href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource
Owner Password Credentials</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul>
-</li><li><a shape="rect"
href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access
tokens</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a>
+</li><li><a shape="rect"
href="#JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow
Filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse
Filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access
tokens</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-DefaultProviders">Default Providers</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth
Server JAX-RS endpoints</a></li></ul>
</li><li><a shape="rect"
href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client
Authentication</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-MultipleFactorVerification">Multiple Factor
Verification</a></li></ul>
</li><li><a shape="rect"
href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End
User Subject initialization</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-OAuth2tokensandSOAPendpoints">OAuth2 tokens and SOAP
endpoints</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to
get the user login name</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Client-sidesupport">Client-side support</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2
without the Explicit Authorization</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a
Browser</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error
details</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a>
+</li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to
get the user login name</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Client-sidesupport">Client-side support</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2
without the Explicit Authorization</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a
Browser</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error
details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2andJOSE">OAuth2
and JOSE</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the
Access to Resource Server</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
different access points to end users and clients</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign
On</a></li></ul>
@@ -360,7 +360,7 @@ return token;
// decrypt a token given a token key
ModelEncryptionSupport.decryptAccessToken(this, encryptedToken,
key);]]></script>
-</div></div><pre> </pre><h5 id="JAX-RSOAuth2-UsingCertificates">Using
Certificates</h5><p>Working with the certificates to encrypt the state is
similar to working with the symmetric keys. Please check the code examples in
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java";>EncryptionsUtilsTest</a>.</p><p>One
needs to load a Certificate, use its public key to encrypt and the private key
to decrypt. using the certificate to encrypt the whole serialized token
representation might be marginally slower compared to using the symmetric keys,
however given that the sequence is about 300+ characters maximum the
performance can be reasonable.</p><h5
id="JAX-RSOAuth2-UsingCertificatesandSecretKeys">Using Certificates and Secret
Keys</h5><p>The other approach is to generate a secret key, use this key to
encrypt the token and then use the certi
ficate to encrypt the key. The encrypted token and the actual encrypted secret
key can be returned to the client as a token parameter, for example, as a 'key'
parameter. This 'key' parameter will need to be returned to the OAuth2 server,
via the HTTP header or the custom authorization scheme. The data providers
using this mechanism will need to implement AccessTokenValidator and decrypt
the encrypted key with the private certificate key, and decrypt the token with
the decrypted secret key. Please check the code example in <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java";>EncryptionsUtilsTest</a>.</p><h5
id="JAX-RSOAuth2-EncryptedJWTTokens">Encrypted JWT Tokens</h5><p>JWT Token can
be JWE-encrypted and the encrypted string passed to ServerAccessToken as access
token id parameter.</p><p>See <a shape="rect" href="json-web-tokens.html">JS
ON Web Tokens</a> wiki page for more information on how to sign and encrypt
JSON Web Tokens.</p><h4 id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If
needed, users can use their own custom token types, with the only restriction
that the custom token type implementations have to extend
org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.</p><h4
id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and
Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00";
rel="nofollow">audience</a> parameter is supported during the client token
requests.</p><h3
id="JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</h3><p>The
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java";>AccessTokenValidationService</a>
is a
CXF specific OAuth2 service for accepting the remote access token validation
requests. Typically, OAuthRequestFilter (see on it below) may choose to
impersonate itself as a third-party client and will ask
AccessTokenValidationService to return the information relevant to the current
access token, before setting up a security context. More on it below.</p><h2
id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java";>TokenRevocationService</a>
is a simple OAuth2 service supporting the clients wishing to revoke the access
or refresh tokens they own themselves, please see <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09";
rel="nofollow">OAuth2 Token Revocation Draft</a> for more
information.</p><p>TokenRevocationServic
e and AccessTokenService share the same code which enforces that the clients
have been correctly authenticated.</p><p>Note, OAuthDataProvider
implementations processing a revocation request should simply ignore the
invalid tokens as recommended by the specification which will let
TokenRevocationService return HTTP 200 which is done to minimize a possible
attack surface (specifically for bad clients not to see if their requests
failed or succeeded) and throw the exceptions only if the token revocation
feature is not currently supported.</p><h2
id="JAX-RSOAuth2-SupportedGrants">Supported Grants</h2><p>The following
subsections briefly describe how the well-known grant types can be supported on
the server side. Please also check the "Client Side Support" section on how to
use the related <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";>Ac
cessTokenGrant</a> implementations to request the access tokens.</p><h3
id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As described
above, <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java";>AuthorizationCodeGrantService</a>
service and <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";>AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Authorization Code
flow.</p><p>The code that the client receives in the end of the redirection
process will need to be exchanged for a new access token with
AccessTokenService. CXF-based clients can use a helper <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/as
f/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same
way Authorization Code grant is except that the response to the client running
within a web browser is formatted differently, using URI fragments.</p><p><a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java";>ImplicitGrantService</a>
service and <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";>AuthorizationCodeDataProvider</a>
data provider can support a redirection-bas
ed Implicit flow.</p><p>Note the only difference is the use of
ImplicitGrantService instead of AuthorizationCodeGrantService.</p><p>Also note
that when an Implicit grant client (running within a browser) replaces the code
grant for a new access token and tries to access the end user's resource, Cross
Origin Resource Sharing (CORS) support will most likely need to be enabled on
the end user's resource server.<br clear="none"> The simplest approach is to
register a CXF <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-cors.html";>CORS filter</a>, right
before OAuth2 filter (see on it below).</p><p>Starting from CXF 2.7.5 it is
possible to request ImplicitGrantService to return a registered Client id to
the browser-hosted client. This is recommended so that the client can verify
that the token is meant to be delivered to this client.</p><h3
id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3><p>Register <a
shape="rect" class="external-link" href="http://svn.apache.org/repos
/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java">ClientCredentialsGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p><p>CXF-based
clients can use a helper <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java";>ClientCredentialsGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password
Credentials</h3><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java";>ResourceOwnerGrantHandler</a>
handler with AccessTokenService for this grant be supp
orted.</p><p>CXF-based clients can use a helper <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java";>ResourceOwnerGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The client can issue a
refresh token grant if the current access token it owns has expired or been
revoked and the refresh token was issued alongside with the access token which
is now invalid and get the new, 'refreshed' access token. This can allow the
client to avoid seeking a new authorization approval from the end
user.</p><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java";>RefreshTokenGrantHandler</a>
handler with Acc
essTokenService for this grant be supported. Note this grant handler is only
useful for refreshing the existing access token, so one or more of the other
grant handlers (Authorization Code, Implicit, etc) will also have to be
registered with AccessTokenService.</p><p>CXF-based clients can use a helper <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrant.java";>RefreshTokenGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Assertions">Assertions</h3><p>SAML2 Bearer and JWT assertions
can be used as token grants.</p><p>Please see <a shape="rect"
href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for
more information.</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If
you need to customize the way the well-known grant requests are handled then
consider extending one of
the grant handlers listed in the previous sub-sections.</p><p>Alternatively
create a custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java";>AccessTokenGrantHandler</a>
and register it with AccessTokenService. Additionally, consider providing a
related <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";>AccessTokenGrant</a>
implementation for making it easy for the client code to request a new access
token with this custom grant.</p><h2
id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access
tokens</h2><p>When working with the flows which require the end users/resource
owners explicitly authorizing clients (for example, as in the case of
redirection-based flows), using pre
-authorized access tokens is one option to minimize the need for the end-user
intervention. <br clear="none"> OAuthDataProvider is always checked first if
the pre-authorized access token for a given Client exists and if yes then it
will be returned immediately, without starting the authorization process
involving the end user (as required by some flows).</p><p>Consider providing a
user interface which will let the end users/resource owners to pre-authorize
specific clients early. Note, a CXF service for supporting the users
pre-authorizing the clients or revoking the tokens for some of the clients may
be introduced in the future.</p><p>Also note that using a refresh token grant
may further help with minimizing the end user involvement, in cases when the
current access token has expired.</p><h2
id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can
register custom scopes they will be expected to use and then avoid specifying
the scopes when requesting the cod
e grants or access tokens.<br clear="none"> Alternatively it makes it easier
to support so called wild-card scopes. For example, a client pre-registers a
scope "update" and actually uses an "update-7" scope: Redirection-based
services and access token grants can be configured to do a partial scope match,
in this case, validate that "update-7" starts from "update"</p><h2
id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a
lot with setting up an OAuth server. As you can see from the above sections,
these services rely on a custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";>OAuthDataProvider</a>
implementation.</p><p>The main task of OAuthDataProvider is to persist and
generate access tokens. Additionally, as noted above,
AuthorizationCodeDataProvider need
s to persist and remove the code grant registrations. The way it's done is
really application-specific. Consider starting with a basic memory based
implementation and then move on to keeping the data in some DB.</p><p>Note that
OAuthDataProvider supports retrieving <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java";>Client</a>
instances but it has no methods for creating or removing Clients. The reason
for it is that the process of registering third-party clients is very specific
to a particular OAuth2 application, so CXF does not offer a registration
support service and hence OAuthDataProvider has no Client create/update
methods. You will likely need to do something like this:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><pre> </pre><h5 id="JAX-RSOAuth2-UsingCertificates">Using
Certificates</h5><p>Working with the certificates to encrypt the state is
similar to working with the symmetric keys. Please check the code examples in
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java";>EncryptionsUtilsTest</a>.</p><p>One
needs to load a Certificate, use its public key to encrypt and the private key
to decrypt. using the certificate to encrypt the whole serialized token
representation might be marginally slower compared to using the symmetric keys,
however given that the sequence is about 300+ characters maximum the
performance can be reasonable.</p><h5
id="JAX-RSOAuth2-UsingCertificatesandSecretKeys">Using Certificates and Secret
Keys</h5><p>The other approach is to generate a secret key, use this key to
encrypt the token and then use the certi
ficate to encrypt the key. The encrypted token and the actual encrypted secret
key can be returned to the client as a token parameter, for example, as a 'key'
parameter. This 'key' parameter will need to be returned to the OAuth2 server,
via the HTTP header or the custom authorization scheme. The data providers
using this mechanism will need to implement AccessTokenValidator and decrypt
the encrypted key with the private certificate key, and decrypt the token with
the decrypted secret key. Please check the code example in <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java";>EncryptionsUtilsTest</a>.</p><h5
id="JAX-RSOAuth2-EncryptedJWTTokens">Encrypted JWT Tokens</h5><p>JWT Token can
be JWE-encrypted and the encrypted string passed to ServerAccessToken as access
token id parameter.</p><p>See <a shape="rect" href="json-web-tokens.html">JS
ON Web Tokens</a> wiki page for more information on how to sign and encrypt
JSON Web Tokens.</p><h4 id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If
needed, users can use their own custom token types, with the only restriction
that the custom token type implementations have to extend
org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.</p><h4
id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and
Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00";
rel="nofollow">audience</a> parameter is supported during the client token
requests.</p><h3
id="JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</h3><p>The
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java";>AccessTokenValidationService</a>
is a
CXF specific OAuth2 service for accepting the remote access token validation
requests. Typically, OAuthRequestFilter (see on it below) may choose to
impersonate itself as a third-party client and will ask
AccessTokenValidationService to return the information relevant to the current
access token, before setting up a security context. More on it below.</p><h2
id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java";>TokenRevocationService</a>
is a simple OAuth2 service supporting the clients wishing to revoke the access
or refresh tokens they own themselves, please see <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09";
rel="nofollow">OAuth2 Token Revocation Draft</a> for more
information.</p><p>TokenRevocationServic
e and AccessTokenService share the same code which enforces that the clients
have been correctly authenticated.</p><p>Note, OAuthDataProvider
implementations processing a revocation request should simply ignore the
invalid tokens as recommended by the specification which will let
TokenRevocationService return HTTP 200 which is done to minimize a possible
attack surface (specifically for bad clients not to see if their requests
failed or succeeded) and throw the exceptions only if the token revocation
feature is not currently supported.</p><h2
id="JAX-RSOAuth2-SupportedGrants">Supported Grants</h2><p>The following
subsections briefly describe how the well-known grant types can be supported on
the server side. Please also check the "Client Side Support" section on how to
use the related <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";>Ac
cessTokenGrant</a> implementations to request the access tokens.</p><h3
id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As described
above, <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java";>AuthorizationCodeGrantService</a>
service and <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";>AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Authorization Code
flow.</p><p>The code that the client receives in the end of the redirection
process will need to be exchanged for a new access token with
AccessTokenService. CXF-based clients can use a helper <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/as
f/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same
way Authorization Code grant is except that the response to the client running
within a web browser is formatted differently, using URI fragments.</p><p><a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java";>ImplicitGrantService</a>
service and <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";>AuthorizationCodeDataProvider</a>
data provider can support a redirection-bas
ed Implicit flow.</p><p>Note the only difference is the use of
ImplicitGrantService instead of AuthorizationCodeGrantService.</p><p>Also note
that when an Implicit grant client (running within a browser) replaces the code
grant for a new access token and tries to access the end user's resource, Cross
Origin Resource Sharing (CORS) support will most likely need to be enabled on
the end user's resource server.<br clear="none"> The simplest approach is to
register a CXF <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-cors.html";>CORS filter</a>, right
before OAuth2 filter (see on it below).</p><p>Starting from CXF 2.7.5 it is
possible to request ImplicitGrantService to return a registered Client id to
the browser-hosted client. This is recommended so that the client can verify
that the token is meant to be delivered to this client.</p><h3
id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3><p>Register <a
shape="rect" class="external-link" href="http://svn.apache.org/repos
/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java">ClientCredentialsGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p><p>CXF-based
clients can use a helper <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java";>ClientCredentialsGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password
Credentials</h3><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java";>ResourceOwnerGrantHandler</a>
handler with AccessTokenService for this grant be supp
orted.</p><p>CXF-based clients can use a helper <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java";>ResourceOwnerGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The client can issue a
refresh token grant if the current access token it owns has expired or been
revoked and the refresh token was issued alongside with the access token which
is now invalid and get the new, 'refreshed' access token. This can allow the
client to avoid seeking a new authorization approval from the end
user.</p><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java";>RefreshTokenGrantHandler</a>
handler with Acc
essTokenService for this grant be supported. Note this grant handler is only
useful for refreshing the existing access token, so one or more of the other
grant handlers (Authorization Code, Implicit, etc) will also have to be
registered with AccessTokenService.</p><p>CXF-based clients can use a helper <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrant.java";>RefreshTokenGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Assertions">Assertions</h3><p>SAML2 Bearer and JWT assertions
can be used as token grants.</p><p>Please see <a shape="rect"
href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for
more information.</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If
you need to customize the way the well-known grant requests are handled then
consider extending one of
the grant handlers listed in the previous sub-sections.</p><p>Alternatively
create a custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java";>AccessTokenGrantHandler</a>
and register it with AccessTokenService. Additionally, consider providing a
related <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";>AccessTokenGrant</a>
implementation for making it easy for the client code to request a new access
token with this custom grant.</p><h2
id="JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</h2><p><a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/securi
ty/oauth2/provider/AuthorizationCodeRequestFilter.java;h=646861c1ea3f9effad74bd234c0576f638009932;hb=HEAD">AuthorizationCodeRequestFilter</a>
implementations can be registered with AuthorizationCodeService in order to
pre-process code requests. For example, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java;h=a318c2c405c813e9c07f1b22c4b2afbfccd6101e;hb=HEAD";>JwtRequestCodeFilter</a>
can be used to process JWS-signed or JWE-encrypted code requests.</p><p><a
shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java;h=f363a461ed21be5a2b87584271bcce2933402ab6;hb=HEAD";>AuthorizationCodeResponseFilter</a>
implementations can be registered with Authori
zationCodeService in order to post-process code responses.</p><h2
id="JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse
Filters</h2><p><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java;h=f6058e6d2d2aa54543514cbfe2d0d9951a30db68;hb=HEAD";>AccessTokenResponseFilter</a>
implementations can be registered with AccessTokenService in order to
post-process access token responses. For example,  OIDC id_token can be
added to a response with a <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoCodeResponseFilter.java;h=42bf9ff41004a32903e6839495d9edde5963c2e3;hb=HEAD";>filter</a>.
Filters can also calculate an access token response signature, etc.</p><h2
id="JAX-RSOAuth2-PreA
uthorizedaccesstokens">PreAuthorized access tokens</h2><p>When working with
the flows which require the end users/resource owners explicitly authorizing
clients (for example, as in the case of redirection-based flows), using
pre-authorized access tokens is one option to minimize the need for the
end-user intervention. <br clear="none"> OAuthDataProvider is always checked
first if the pre-authorized access token for a given Client exists and if yes
then it will be returned immediately, without starting the authorization
process involving the end user (as required by some flows).</p><p>Consider
providing a user interface which will let the end users/resource owners to
pre-authorize specific clients early. Note, a CXF service for supporting the
users pre-authorizing the clients or revoking the tokens for some of the
clients may be introduced in the future.</p><p>Also note that using a refresh
token grant may further help with minimizing the end user involvement, in cases
when the curre
nt access token has expired.</p><h2
id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can
register custom scopes they will be expected to use and then avoid specifying
the scopes when requesting the code grants or access tokens.<br clear="none">
Alternatively it makes it easier to support so called wild-card scopes. For
example, a client pre-registers a scope "update" and actually uses an
"update-7" scope: Redirection-based services and access token grants can be
configured to do a partial scope match, in this case, validate that "update-7"
starts from "update"</p><h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a
lot with setting up an OAuth server. As you can see from the above sections,
these services rely on a custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/securi
ty/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a>
implementation.</p><p>The main task of OAuthDataProvider is to persist and
generate access tokens. Additionally, as noted above,
AuthorizationCodeDataProvider needs to persist and remove the code grant
registrations. The way it's done is really application-specific. Consider
starting with a basic memory based implementation and then move on to keeping
the data in some DB.</p><p>Note that OAuthDataProvider supports retrieving <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java";>Client</a>
instances but it has no methods for creating or removing Clients. The reason
for it is that the process of registering third-party clients is very specific
to a particular OAuth2 application, so CXF does not offer a registration
support service and hence OAuthDataProvider has no Client create/update me
thods. You will likely need to do something like this:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[public class CustomOAuthProvider implements
OAuthDataProvider {
public Client registerClient(String applicationName, String applicationURI,
...) {}
public void removeClient(String cliendId) {}
@@ -601,7 +601,7 @@ try {
<property name="writeCustomErrors" value="true"/>
</bean>
]]></script>
-</div></div><h1 id="JAX-RSOAuth2-Designconsiderations">Design
considerations</h1><p>This section will talk about various design
considerations one need to take into account when deploying OAuth-based
solutions.</p><h2
id="JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access
to Resource Server</h2><p>One of the most important issues one need to resolve
is how to partition a URI space of the resource server application.</p><p>We
have two different parties trying to access it, the end users which access the
resource server to get to the resources which they own and 3rd party clients
which have been authorized by the end users to access some of their
resources.</p><p>In the former case the way the authentication is managed is
completely up to the resource server application: basic authentication, two-way
TLS, OpenId (more on it below), you name it.</p><p>In the latter case an OAuth
filter must enforce that the 3rd party client has been registered using the
provided
client key and that it has a valid access token which represents the end
user's approval.</p><p>Letting both parties access the resource server via the
same URI(s) complicates the life for the security filters but all the parties
are only aware of the single resource server URI which all of them will
use.</p><p>Providing different access points to end users and clients may
significantly simplify the authentication process - the possible downside is
that multiple access points need to be maintained by the resource
server.</p><p>Both options are discussed next.</p><h3
id="JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the
same access path between end users and clients</h3><p>The first problem which
needs to be addressed is how to distinguish end users from third-party clients
and get both parties authenticated as required.<br clear="none"> Perhaps the
simplest option is to extend a CXF OAuth2 filter (JAX-RS or servlet one), check
Authorization header, if it is
OAuth2 then delegate to the superclass, alternatively - proceed with
authenticating the end users:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><h1 id="JAX-RSOAuth2-OAuth2andJOSE">OAuth2 and
JOSE</h1><p>TODO</p><h1 id="JAX-RSOAuth2-Designconsiderations">Design
considerations</h1><p>This section will talk about various design
considerations one need to take into account when deploying OAuth-based
solutions.</p><h2
id="JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access
to Resource Server</h2><p>One of the most important issues one need to resolve
is how to partition a URI space of the resource server application.</p><p>We
have two different parties trying to access it, the end users which access the
resource server to get to the resources which they own and 3rd party clients
which have been authorized by the end users to access some of their
resources.</p><p>In the former case the way the authentication is managed is
completely up to the resource server application: basic authentication, two-way
TLS, OpenId (more on it below), you name it.</p><p>In the latter case an OAuth
filter must enforc
e that the 3rd party client has been registered using the provided client key
and that it has a valid access token which represents the end user's
approval.</p><p>Letting both parties access the resource server via the same
URI(s) complicates the life for the security filters but all the parties are
only aware of the single resource server URI which all of them will
use.</p><p>Providing different access points to end users and clients may
significantly simplify the authentication process - the possible downside is
that multiple access points need to be maintained by the resource
server.</p><p>Both options are discussed next.</p><h3
id="JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the
same access path between end users and clients</h3><p>The first problem which
needs to be addressed is how to distinguish end users from third-party clients
and get both parties authenticated as required.<br clear="none"> Perhaps the
simplest option is to extend a CXF OAuth2 f
ilter (JAX-RS or servlet one), check Authorization header, if it is OAuth2
then delegate to the superclass, alternatively - proceed with authenticating
the end users:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><