Hello,
Looking at the current implementation we have noticed there are multiple
checks happening on audiences on handling a token request. One of the checks
raises some questions for us. The handleTokenRequest method in
AccessTokenService has check being done on the presence of the audience
passed through the request in the a pre populated List property of the
AccessTokenService. The way we go about this is to fill the List of
audiences in the spring bean configuration. This however makes the list
fairly static. Wouldn't it make more sense to add a implementable method in
OauthDataProvider to fetch a list of "active" audience by consulting the
clients?
@Path("/token")
public class AccessTokenService extends AbstractTokenService {
private List<AccessTokenGrantHandler> grantHandlers = new
LinkedList<AccessTokenGrantHandler>();
private List<String> audiences = new LinkedList<String>();
...
@POST
@Consumes("application/x-www-form-urlencoded")
@Produces("application/json")
public Response handleTokenRequest(MultivaluedMap<String, String>
params) {
...
try {
checkAudience(params);
} catch (OAuthServiceException ex) {
return super.createErrorResponseFromBean(ex.getError());
}
Thanks,
Peter
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-JAX-RS-OAUTH2-audiences-why-bean-property-based-check-in-handleTokenRequest-tp5741813.html
Sent from the cxf-user mailing list archive at Nabble.com.
