Re: OAuth 1.0 in Apache CXF

Tue, 21 Aug 2012 09:51:42 -0700 

On 21/08/12 17:13, mayankeagle wrote:

I got it to work, thanks for your help. I will try with 2.6.2 also.


Very good, thanks for the confirmation

I need your recommendation on some points:

* I had the OAuthFilter also trapping requests to the request token service,
authorization service and access token service - that is why the signature
validation was being done in the authorization process too; it was the
filter that was doing it. Do you recommend this configuration? Or should the
filter only trap the requests to the business REST services that I have
written.
The filter has been written with the assumption that it is going to protect the business services.
When we have an authorization request, the typical immediate client is actually a user which is being redirected by a 3rd party client, and I guess it has to be the same in case of the 'implicit' flow which is how you do it, with the script doing the work, so it is the end user that has to authenticate at this stage - for the end user credentials captured and linked to from the request (and later) access token 



* When I had the filter trapping the access token requests, at one point of
time I had the filter allowing the signature and I had the access token
service denying the signature. That seemed strange. Any idea why this would
be happening?
Perhaps some of the request parameters could be read only once, may be the (google) library has something to do with that, so the 2nd signature calculation was failing... 



* Is the documentation at the Apache site updated with whatever changes are
there in 2.6.2 with respect to HTTP requests/ responses and XML
configurations?


2.6.2 has the following OAuth 1.0 updates (all thanks to Evgeni Kisel):
- oob support
- nonce + timestamp validation (in memory by default but can be customized)
- better error reporting

All of the above has been documented

Cheers, Sergey


Thanks.



--
View this message in context: 
http://cxf.547215.n5.nabble.com/OAuth-1-0-in-Apache-CXF-tp5712720p5712888.html
Sent from the cxf-user mailing list archive at Nabble.com.

Reply via email to