Re: CXF JAX-RS OAUTH2 audiences, why bean property based check in handleTokenRequest?

Tue, 25 Mar 2014 04:48:06 -0700 

Hi
On 25/03/14 10:50, Peter De Winter wrote:

Hello,

Looking at the current implementation we have noticed there are multiple
checks happening on audiences on handling a token request. One of the checks
raises some questions for us. The handleTokenRequest method in
AccessTokenService has check being done on the presence of the audience
passed through the request in the a pre populated List property of the
AccessTokenService. The way we go about this is to fill the List of
audiences in the spring bean configuration. This however makes the list
fairly static. Wouldn't it make more sense to add a implementable method in
OauthDataProvider to fetch a list of "active" audience by consulting the
clients?
This AccessTokenService property represents a list pf audiences known to this specific service instance. Each Client may have its own unique audience value and AccessTokenService may validate it.
But note, having AccessTokenService validating it is optional. If the list is empty the validation at this level is skipped; it is there simply to minimize the amount of OAuth2-related work the actual providers have to do, the idea is for them to focus on the data storage activities... But you can defer the validation and let the provider do it, the audience property is passed along with AccessTokenRegistration bean 

HTH, Sergey



@Path("/token")
public class AccessTokenService extends AbstractTokenService {
     private List<AccessTokenGrantHandler> grantHandlers = new
LinkedList<AccessTokenGrantHandler>();
     private List<String> audiences = new LinkedList<String>();

...

@POST
     @Consumes("application/x-www-form-urlencoded")
     @Produces("application/json")
     public Response handleTokenRequest(MultivaluedMap<String, String>
params) {

...

try {
      checkAudience(params);
      } catch (OAuthServiceException ex) {
      return super.createErrorResponseFromBean(ex.getError());
}

Thanks,

Peter



--
View this message in context: 
http://cxf.547215.n5.nabble.com/CXF-JAX-RS-OAUTH2-audiences-why-bean-property-based-check-in-handleTokenRequest-tp5741813.html
Sent from the cxf-user mailing list archive at Nabble.com.




--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Reply via email to