Hi Sergey.
Thanks for reply. Unfortunately I am unable to construct a working cxf-tree-objects to perform a call for the 2-legged OAuth protocol. The classes I have located are: · WebClient · OauthClientUtils · AccessTokenService · AccessTokenGrant · Consumer · ResourceOwnerGrantHandler · ResourceOwnerLoginHandler Could you sent an example implementation that would be able to invoke a login endpoint supplying the following text in the body part of the HTTP POST request ? (PASSWORD GRANT so no user-direct authorization is required) grant_type=password&client_id=XXX&client_secret=YYY&username=ZZZ&password=KKK This could be also helpful for many people looking for it (http://stackoverflow.com/questions/13793395/cxf-2-legged-oauth-example)! Thanks, Andrea Andrea Messina Blue Reply Via Cardinal Massaia, 83 10147 - Torino - ITALY phone: +39 011 29100 [email protected] www.reply.it [Blue Reply] -----Original Message----- From: Sergey Beryozkin [mailto:[email protected]] Sent: giovedì 12 settembre 2013 22:21 To: [email protected] Cc: Messina Andrea Subject: Re: OAuth2 username-password flow with Apache CXF Hi Thanks for the query, forwarding to the users list, On 12/09/13 18:37, Messina Andrea wrote: > > I'm looking for an example code written using Apache CXF WebClient API and > requesting an access token using the "Password Access grant Type". > > The > documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials). > is really very poor about this subject . > Right, looking at it now, agree a bit more info should go into it, Basically, the idea you just register an access token grant handler with AccessTokenService, the documentation focuses on the code flow and AccessTokenService tries to default to the code grant handler if no custom handlers have been registered, so I missed that no info is there at all on how the custom handlers can be added, it is really easy, AccessTokenService has public void setGrantHandlers(List<AccessTokenGrantHandler> handlers); and public void setGrantHandler(AccessTokenGrantHandler handler); methods. so you set ResourceOwnerGrantHandler (not ClientCredentials which you linked to) http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java Note AccessTokenService will authenticate the client itself (using client_id and client_secret) and the handler will authenticate the resource owner, using ResourceOwnerLoginHandler. Default ResourceOwnerLoginHandler implementation is JAAS based: http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/JAASResourceOwnerLoginHandler.java but you can implement your own logic. Hope it helps I'll work on improving the docs Sergey > The only input parameters are: > > 1) Login endpoint URI > 2) client_id and client_secret > 3) user_id and user_secret > > Thanks in advance, Andrea > > > Andrea Messina > > Blue Reply > Via Cardinal Massaia, 83 > 10147 - Torino - ITALY > phone: +39 011 29100 > [email protected]<mailto:[email protected]> > www.reply.it<http://www.reply.it> > > > > > ________________________________ > > -- > The information transmitted is intended for the person or entity to which it > is addressed and may contain confidential and/or privileged material. Any > review, retransmission, dissemination or other use of, or taking of any > action in reliance upon, this information by persons or entities other than > the intended recipient is prohibited. If you received this in error, please > contact the sender and delete the material from any computer. > -- Sergey Beryozkin Talend Community Coders http://coders.talend.com/ Blog: http://sberyozkin.blogspot.com ________________________________ -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
