Author: buildbot
Date: Tue Sep 10 18:56:55 2019
New Revision: 1049922
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue Sep 10 18:56:55
2019
@@ -119,15 +119,15 @@ Apache CXF -- JAX-RS OAuth2
JAX-RS:
OAuth2/**/
+/*]]>*/
JAX-RS: OAuth2IntroductionMaven dependenciesClient
RegistrationDeveloping OAuth2 Servers
Authorization Service
How to create Authorization
ViewEndUser Name in
Authorization FormPublic Clients (Devices)
-OOB ResponseSecure code
acquisition with redirect URI
+OOB ResponsePKCE support
Form Post
Response Mode
AccessTokenService
Access Token Types
@@ -226,7 +226,7 @@ Cookie=[JSESSIONID=1c289vha0cxfe],
GET
http://localhost:8080/services/social/authorize?client_id=mobileClientresponse_type=code
-Assuming the 'mobileClient' has been registered as public one
with no secret and the service has been set up to support such clients, the end
user will get a chance to authorize this client the same way it can do
confidential clients, and after this user gets back a code (delivered directly
in the response HTML page by default) the user will enter the code securely
into the device which will then replace it for a time-scoped access token by
contacting AccessTokenService.Secure code acquisition
with redirect URIThe following https://tools.ietf.org/html/draft-ietf-oauth-spop-15;
rel="nofollow">extension is supported to help public clients with redirect
URIs to accept the code securely.The public (mobile) client will include
a 'code_verifier' value when requesting the authorization code and it will be
saved by Authorization service, with the help
of the registered AuthorizationCodeDataProvider into an instance of
ServerAuthorizationCodeGrant. The client will next request a token providing
the 'code' and 'code_challenge' - the latter will be compared by
AuthorizationCodeGrantHandler with the original 'code_verifier'. By default,
the 'code_challenge' is expected to be equal to the original 'code_verifier',
but the grant handler can be registered with the custom
org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer - CXF
ships a DigestCodeVerifier which implements a transformation mentioned in the
extension.Form Post Response
Modehttp://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html;
rel="nofollow">Form Post Response Mode has been orinially introduced for
OpenId Connect but has been generally recomended recently as a possibly safer
option of returning OAuth2 Authorization Service response to the cli
ents. Starting from CXF 3.1.9, if a client sends a "response_mode=form_post"
parameter during the original redirect, CXF AuthorizationCodeService will
return https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java;
rel="nofollow">OOBAuthorizationResponse with its 'redirectUri' property
set - a JSP/etc handler will convert to an HTML form which will re-post the
data to the client callback address.AccessTokenServiceThe role of https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java;
rel="nofollow">AccessTokenService is to exchange a token grant for a new
access token which will be used by the client to access the end user's reso
urces. Here is an example request log:
+Assuming the 'mobileClient' has been registered as public one
with no secret and the service has been set up to support such clients, the end
user will get a chance to authorize this client the same way it can do
confidential clients, and after this user gets back a code (delivered directly
in the response HTML page by default) the user will enter the code securely
into the device which will then replace it for a time-scoped access token by
contacting AccessTokenService.PKCE
supportCXF supports https://tools.ietf.org/html/rfc7636; rel="nofollow">RFC-7636: Proof
Key for Code Exchange by OAuth Public Clients (PKCE).