You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Sergey Beryozkin <sb...@gmail.com> on 2014/12/16 17:45:44 UTC
Re: cxf git commit: [CXF-6157] Support storing of OAuth2 redirection
state in a session token
Hi Thorsten, All,
I've updated OAuth2 SessionAuthenticityTokenProvider interface on the
trunk.
The reason for that is that at the moment the only way for
Redirection-based services to return the redirection state as part of
the authorization decision is to use form hidden fields. That would
include properties like client id, redirect URI, state, audience, client
code verifier, and scope.
This is not difficult to implement but this approach has its own
drawbacks. One of the alternative is to pack these data into an
encrypted session token. Hence this interface has been updated, and a
specific implementation, JoseSessionTokenProvider is now shipped, users
would be able to come with their own implementations. The existing
implementations do not have to do anything about it, apart from the
minor migration effort.
Thorsten, you provided the initial patch which introduced the interface.
Would you prefer to keep this change on the trunk only or reckon it
would be OK to push it down to 3.0.x ? If anyone else on the users list
customized the session creation process and would prefer to keep the
latest update on the trunk only (3.1.0-SNAPSHOT) then let me know please
Thanks, Sergey
> http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
> ----------------------------------------------------------------------
> diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
> index 741acb0..02cee8b 100644
> --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
> +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
> @@ -22,6 +22,7 @@ package org.apache.cxf.rs.security.oauth2.provider;
> import javax.ws.rs.core.MultivaluedMap;
>
> import org.apache.cxf.jaxrs.ext.MessageContext;
> +import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
> import org.apache.cxf.rs.security.oauth2.common.UserSubject;
>
> /**
> @@ -31,21 +32,23 @@ import org.apache.cxf.rs.security.oauth2.common.UserSubject;
> public interface SessionAuthenticityTokenProvider {
>
> /**
> - * Creates a new session token and stores it
> + * Create a new session token and stores it
> *
> * @param mc the {@link MessageContext} of this request
> * @param params redirection-based grant request parameters
> * @param subject authenticated end user
> + * @param secData
> * @return the created session token
> */
> String createSessionToken(MessageContext mc,
> MultivaluedMap<String, String> params,
> - UserSubject subject);
> + UserSubject subject,
> + OAuthRedirectionState secData);
>
> /**
> - * Retrieves the stored session token
> + * Retrieve the stored session token
> *
> - * @param mc the {@link MessageContext} of this request
> + * @param mc the {@link MessageContext} of this request
> * @param params grant authorization parameters
> * @param subject authenticated end user
> * @return the stored token
> @@ -55,7 +58,7 @@ public interface SessionAuthenticityTokenProvider {
> UserSubject subject);
>
> /**
> - * Removes the stored session token
> + * Remove the stored session token
> *
> * @param mc the {@link MessageContext} of this request
> * @param params grant authorization parameters
> @@ -65,4 +68,16 @@ public interface SessionAuthenticityTokenProvider {
> MultivaluedMap<String, String> params,
> UserSubject subject);
>
> + /**
> + * Expand the session token
> + *
> + * @param mc the {@link MessageContext} of this request
> + * @param sessionToken the token
> + * @param subject authenticated end user
> + * @return the expanded token or null
> + */
> + OAuthRedirectionState getSessionState(MessageContext messageContext,
> + String sessionToken,
> + UserSubject subject);
> +
> }
>