Hi All, I have developed a desktop application that uses the CXF JAX-RS implementation to access a secure resource protected by an OIDC relying party. Here are the requirements for the application: 1) On application installation the application starts a local web server, opens a browser, and redirects the user to the OIDC IDP for authentication using the OIDC authorization code flow2) After authentication the user is redirected back to the local web server and the application requests an access token and refresh token.3) The refresh token is stored in a local persistence store.4) The application attempts to access a OIDC relying party resource using the JAX-RS 2.0 Client API5) If an access token is unavailable or expired the application uses the cached refresh token to obtain a new one6) The access token is sent in the request as the Authorization header, the relying party validates the access token, and the request is serviced7) I do not want to use Spring in the application Previously I browsed the CXF source code and examples but I could not find exactly what I was looking for so I used the available utility classes to build my own implementation: https://github.com/aaronanderson/meecrowave/blob/desktop/meecrowave-desktop/src/main/java/org/apache/meecrowave/desktop/auth/OAuth2WebAuthenticator.java
Now I would like to revisit my implementation and see if I can replace my custom code with more standard CXF functionality. I can now see that the big_query example uses the CXF specific WebClient class but this class implements the standard JAX-RS 2.0 Client interface. I also observed that the basic_oidc example illustrates how to use CXF to enable a web application as a relying party. My questions for the group are: 1) Is it possible to reproduce the big_query functionality using only the standard JAX-RS Client and ClientBuilder API methods? Would I be able to register the CXF endpoint that processes the tokens as a simple servlet rather than a JAX-RS endpoint?2) Can I reproduce the CXF configuration defined in the basic_odic example without Spring?3) In the CXF configuration can I define my own refresh token store and if so what interface does it need to implement? Searching through the CXF source code I see numerous examples of token persistence for the IDP feature but I couldn't identify how this could be leveraged for a relying party. Thanks! Aaron
