On 11/14/2011 09:50 AM, Sergey Beryozkin wrote:
On 14/11/11 13:40, ramesh wrote:
I was wondering if it is possible to implement *OAuth 2.0 username and
password flow* *styled* security using the new CXF 2.5.0 OAuth
implementation.
If yes what would be the flow with OAuth ?
I'm presuming you are referring to this OAuth 2.0 authorization grant
type:
http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.3.4
The closest we can offer as part of our OAuth 1.0 impl is this:
http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-2legOAuthFlow
Note, in OAuth 2.0 the id+password pair gets exchanged for an access
token first which at the surface at least appears to be a redundant
operation given that the end user has already authorized the
third-party apps to access some given resources without the explicit
authorization, so one extra call for a 3rd party consumer. May be they
did it for OAuth filters to always expect an access token and also
manage the refresh tokens, they must've had a good reason for that...
We can easily update AuthorizationRequestService impl to issue Access
tokens in such cases in scope of OAuth 1.0, though it does semm
redundant in scope of 1.0
Sergey
regards
Ramesh
Thanks Sergey,
I was thinking the grant type in section 1.3.4 was a better approach
because we are only focusing on few trusted clients. But now I get the
point.
Two-legged OAuth 1.0 flow provided should be the right approach.
regards,
Ramesh
