You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Sergey Beryozkin <sb...@gmail.com> on 2014/12/16 17:45:44 UTC

Re: cxf git commit: [CXF-6157] Support storing of OAuth2 redirection state in a session token

Hi Thorsten, All,

I've updated OAuth2 SessionAuthenticityTokenProvider interface on the 
trunk.
The reason for that is that at the moment the only way for 
Redirection-based services to return the redirection state as part of 
the authorization decision is to use form hidden fields. That would 
include properties like client id, redirect URI, state, audience, client 
code verifier, and scope.

This is not difficult to implement but this approach has its own 
drawbacks. One of the alternative is to pack these data into an 
encrypted session token. Hence this interface has been updated, and a 
specific implementation, JoseSessionTokenProvider is now shipped, users 
would be able to come with their own implementations. The existing 
implementations do not have to do anything about it, apart from the 
minor migration effort.

Thorsten, you provided the initial patch which introduced the interface. 
Would you prefer to keep this change on the trunk only or reckon it 
would be OK to push it down to 3.0.x ? If anyone else on the users list 
customized the session creation process and would prefer to keep the 
latest update on the trunk only (3.1.0-SNAPSHOT) then let me know please

Thanks, Sergey



> http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
> ----------------------------------------------------------------------
> diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
> index 741acb0..02cee8b 100644
> --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
> +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
> @@ -22,6 +22,7 @@ package org.apache.cxf.rs.security.oauth2.provider;
>   import javax.ws.rs.core.MultivaluedMap;
>
>   import org.apache.cxf.jaxrs.ext.MessageContext;
> +import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
>   import org.apache.cxf.rs.security.oauth2.common.UserSubject;
>
>   /**
> @@ -31,21 +32,23 @@ import org.apache.cxf.rs.security.oauth2.common.UserSubject;
>   public interface SessionAuthenticityTokenProvider {
>
>       /**
> -     * Creates a new session token and stores it
> +     * Create a new session token and stores it
>        *
>        * @param mc the {@link MessageContext} of this request
>        * @param params redirection-based grant request parameters
>        * @param subject authenticated end user
> +     * @param secData
>        * @return the created session token
>        */
>       String createSessionToken(MessageContext mc,
>                                 MultivaluedMap<String, String> params,
> -                              UserSubject subject);
> +                              UserSubject subject,
> +                              OAuthRedirectionState secData);
>
>       /**
> -     * Retrieves the stored session token
> +     * Retrieve the stored session token
>        *
> -     * @param mc the {@link MessageContext} of this request
> +     * @param mc the {@link MessageContext} of this request
>        * @param params grant authorization parameters
>        * @param subject authenticated end user
>        * @return the stored token
> @@ -55,7 +58,7 @@ public interface SessionAuthenticityTokenProvider {
>                              UserSubject subject);
>
>       /**
> -     * Removes the stored session token
> +     * Remove the stored session token
>        *
>        * @param mc the {@link MessageContext} of this request
>        * @param params grant authorization parameters
> @@ -65,4 +68,16 @@ public interface SessionAuthenticityTokenProvider {
>                                 MultivaluedMap<String, String> params,
>                                 UserSubject subject);
>
> +    /**
> +     * Expand the session token
> +     *
> +     * @param mc the {@link MessageContext} of this request
> +     * @param sessionToken the token
> +     * @param subject authenticated end user
> +     * @return the expanded token or null
> +     */
> +    OAuthRedirectionState getSessionState(MessageContext messageContext,
> +                                          String sessionToken,
> +                                          UserSubject subject);
> +
>   }
>