Hi
On 18/07/13 05:29, Nishantha Pradeep wrote:
Hi Sergey
One last question.
As I know CXF support JAX-WS and JAX-RS service creation. What I want is to
run an OAuth2 authorization server which can be used to authorized clients
developed using other technologies
Sure, the client does not be written in Java or run on PC, etc
(authorization require services are also
independent apis deployed somewhere else).
You mean you expect AS be not collocated with RS ? Yes, use
AccessTokenValidator, CXF ships an HTTP (can be switched to JMS if
needed) AccessTokenValidator support, but you can have your custom
AccessTokenValidator implementation optimized around using some more
effective in your case remote technology to validate tokens with a
remote AS
Is it ok to use CXF as a
production grade OAuth2 authorization server ?
I think I can recommend writing a simple OAuth2 AS (along the lines
documented at the wiki), see also this demo:
https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2
and then make a decision on whether you think it can be made to meet
your higher-level requirements. Please also check Apache Oltu.
Now if we talk about the production grade AS then we may also want to
talk about SSO. The demo I linked to uses SAML Web SSO (see sso-saml
subsection). We don't have any story yet about integrating with
OpenId-Connect flows - SAML-based SSO should work well for a while
because there are many existing SAML IDPs around still, but having an
OpenId-Connect + JWT supported is important - we will deal with it a bit
later
HTH, Sergey
Thanks
Nishanta
On Wed, Jul 17, 2013 at 8:52 PM, Sergey Beryozkin <[email protected]>wrote:
Hi
On 17/07/13 16:05, Nishantha Pradeep wrote:
Hi Sergey
Using jwt is not mandatory for my work. But does cxf support to use
customized token type ?
Check http://cxf.apache.org/docs/**jax-rs-oauth2.html#JAX-**RSOAuth2-**
CustomandEncryptedtokens<http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-CustomandEncryptedtokens>,
I think this section needs to be expanded.
So you need to extend
http://svn.apache.org/repos/**asf/cxf/trunk/rt/rs/security/**
oauth-parent/oauth2/src/main/**java/org/apache/cxf/rs/**
security/oauth2/common/**ServerAccessToken.java<http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java>
and get your data provider return your custom token instance when
requested.
You will then need to register AccessTokenValidator:
http://svn.apache.org/repos/**asf/cxf/trunk/rt/rs/security/**
oauth-parent/oauth2/src/main/**java/org/apache/cxf/rs/**
security/oauth2/provider/**AccessTokenValidator.java<http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenValidator.java>
with OAuthRequestFilter.
If your resource server and authorization server are not collocated (most
likely not) then register your custom validator with
AccessTokenValidatorService, you can find some info here:
http://cxf.apache.org/docs/**jax-rs-oauth2.html#JAX-**RSOAuth2-**
ProtectingresourceswithOAuthfi**lters<http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters>
In addition can cxf be used as an independent oauth2 authorization server
?
Do you mean can it be used to implement support for a flow like
authorization code flow, and get the grants replaced for tokens ? Yes,
please check the wiki, it has a dedicated section about it
Cheers, Sergey
Thanks
Nishantha
On Wed, Jul 17, 2013 at 5:06 PM, Sergey Beryozkin <[email protected]
wrote:
Hi
On 17/07/13 11:13, Nishantha Pradeep wrote:
Hi
I would like to know that does cxf support OAuth2 and is it using json
web
tokens ?
See
http://cxf.apache.org/docs/****jax-rs-oauth2.html<http://cxf.apache.org/docs/**jax-rs-oauth2.html>
<http://cxf.**apache.org/docs/jax-rs-oauth2.**html<http://cxf.apache.org/docs/jax-rs-oauth2.html>
Re JWT - CXF does not offer any built-in support for JWT yet.
What needs to be decided is whether we should reuse some of 3rd party
libraries for it or do a basic JWT support locally.
Is using JWT important for your case ?
Sergey
Thanks
Nishantha
