Hi Sergey, Actually I'm referring to OAuth 2. Requirements are the following:
I have a client application C that must invoke remote WS "on behalf of" a specific user (the resource owner). The remote WS endpoints are served by the resource server (powered by CXF). I would like to apply the OAuth flow to let C consume the remote WS on behalf of User: here I would use "user/C" key material to establish interaction 1 and "C/WS Server" key material to establish interaction 2. ACTION in interaction 1 could be a selection in a Graphic User Interface. C should present the WS Server with an appropriate access token that grants him access to the requested resource. I'm still defining the nature of this access token: as far as I understand, a bearer token would be perfectly ok. The points for me to understand here are: - To what extent CXF can help me when dealing with access token management and authorization grants (access token generation, access token expiration, renewal, withdrawal of authorization grants, etc) - How to interact with CXF during grants and tokens validation (something like interceptors) - The Authorization Code flow as described at the paragraph 1.3.1 in rfc6749 seems hard to implement in SOAP world: what is the best way to establish an Authorization Code for C and generate access tokens in SOAP paradigm? I understand that this latter point has nothing to do with CXF and for sure requires some further investigation on my side. Nevertheless, it would be very interesting to know how CXF team is planning to implement this aspect :) I hope this clarify the context. By the way, the reason why I want to use OAuth here is that I have also restful endpoints and I would like to adopt a sort of "uniform authorization scheme" across all e.p. (both SOAP and REST). Thank you ----- matteo -- View this message in context: http://cxf.547215.n5.nabble.com/SOAP-OAuth-in-CXF-2-7-tp5723286p5723330.html Sent from the cxf-user mailing list archive at Nabble.com.
