Re: [jira] [Resolved] (CXF-4051) Custom OAuth scopes are not supported

Sergey Beryozkin Mon, 16 Apr 2012 06:04:54 -0700

Hi Jordi
On 16/04/12 13:52, jordi wrote:

Hi Sergey,
As I detailed in the first post, if I use *oauth-20100527.jar* and
cxf-rt-rs-security-oauth-2.5.2.jar to run a OAuth web client that looks
like:


        WebClient rts =
WebClient.create("http://localhost:8080/services/oauth/initiate";);
        rts.accept("application/x-www-form-urlencoded;q=0.9,*/*;q=0.8");
        Consumer consumer = new Consumer(aConsumerKey, aSecretKey);
        URI callback = new URI("http://localhost:8080/dummyclient/callback";);
                        
        // CXF extra parameters
        Map<String, String>  extra = new HashMap<String, String>();
        extra.put("x_oauth_uri", "business/listdocs");
        extra.put("x_oauth_scope", "read_profile");
        extra.put("state", "intercepted");
                        
        *Token requestToken = OAuthClientUtils.getRequestToken(rts, consumer,
callback, extra);*

I receive an error message from the server side (OAuth server), informing
about an error during signature verification. I've found x_oauth_uri,
x_oauth_scope, and state headers are used in client side to compute the
oauth signature but unfortunately they are not sent to the server.


This is the code that works for me in the OAuth 1.0 demo:

public Token getRequestToken(URI callback, ReservationRequest request) {
                Map<String, String> extraParams = new HashMap<String, String>();

extraParams.put(org.apache.cxf.rs.security.oauth.utils.OAuthConstants.X_OAUTH_SCOPE,OAuthConstants.UPDATE_CALENDAR_SCOPE +request.getHour());

return OAuthClientUtils.getRequestToken(requestTokenService,consumer, callback, extraParams);

Note, the actual X_OAUTH_SCOPE value has been changed internally to'scope', for it to match the value of the standard OAuth2 parameter.

x_oauth_uri has been dropped altogether, this restriction can be stillenforced on the server side, but I thought it was not something Clientneeded to worry about, it knows the URI of the protected resource, whichis enough, the server can still extra-protect from this URI getting somechild subresources when applicable, etc


Cheers, Sergey

Thank you very much, cheers
Jordi

--
View this message in context: 
http://cxf.547215.n5.nabble.com/Re-jira-Resolved-CXF-4051-Custom-OAuth-scopes-are-not-supported-tp5643475p5643702.html
Sent from the cxf-user mailing list archive at Nabble.com.



--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Re: [jira] [Resolved] (CXF-4051) Custom OAuth scopes are not supported

Reply via email to