On 14/11/11 13:40, ramesh wrote:
I was wondering if it is possible to implement *OAuth 2.0 username and
password flow* *styled* security using the new CXF 2.5.0 OAuth
implementation.
If yes what would be the flow with OAuth ?
I'm presuming you are referring to this OAuth 2.0 authorization grant type:
http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.3.4
The closest we can offer as part of our OAuth 1.0 impl is this:
http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-2legOAuthFlow
Note, in OAuth 2.0 the id+password pair gets exchanged for an access
token first which at the surface at least appears to be a redundant
operation given that the end user has already authorized the third-party
apps to access some given resources without the explicit authorization,
so one extra call for a 3rd party consumer. May be they did it for OAuth
filters to always expect an access token and also manage the refresh
tokens, they must've had a good reason for that...
We can easily update AuthorizationRequestService impl to issue Access
tokens in such cases in scope of OAuth 1.0, though it does semm
redundant in scope of 1.0
Sergey
regards
Ramesh
