Hi Thorsten,
thanks for the valuable feedback,
On 08/10/12 14:34, Thorsten Höger wrote:
Hi,
after using the OAuth 2.0 implementation for a while now I wanted to
give some feedback.
In general I really like the implementation and it works very well.
The support for ResourceOwnerAuth and the RefreshToken are very nice.
There are only two features I was missing:
1) In the AuthorizationCodeGrantService there are two private methods
using sessions to store and retrieve the sessionAuthenticityToken. It
would be nice to be able to change the storage.
I had to create a deep copy of this class to use some other session store.
Yes, please provide a patch if you can, I guess we can also consider
introducing a simple interface for keeping the user session token, the
runtime will delegate to it if a custom implementation has been registered
2) I found no way to get the Bearer token and the authorized client via
the injected MessageContext. I copied the OAuthRequestFilter and put the
AccessTokenValidation into the message which worked perfectly. May be
this could be done by default.
What exactly do you need from the token ? The filter does
m.setContent(OAuthContext.class, new
OAuthContext(accessTokenV.getTokenSubject(),
matchingPermissions,
accessTokenV.getTokenGrantType()));
so messageContext.getContext(OAuthContext.class) will return it, with
accessTokenV.getTokenSubject() representing an authenticated client, and
accessTokenV.getTokenGrantType() - the grant type.
I guess all the token can be made available on the current message, but
I was not sure how much more of the token details the application code
may need to know...
Cheers, Sergey
Regards,
Thorsten Höger
