You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by ramesh <my...@gmail.com> on 2011/11/14 14:40:45 UTC
OAuth with CXF 2.5.0
I was wondering if it is possible to implement *OAuth 2.0 username and
password flow* *styled* security using the new CXF 2.5.0 OAuth
implementation.
If yes what would be the flow with OAuth ?
regards
Ramesh
Re: OAuth with CXF 2.5.0
Posted by ramesh <my...@gmail.com>.
On 11/14/2011 09:50 AM, Sergey Beryozkin wrote:
> On 14/11/11 13:40, ramesh wrote:
>> I was wondering if it is possible to implement *OAuth 2.0 username and
>> password flow* *styled* security using the new CXF 2.5.0 OAuth
>> implementation.
>> If yes what would be the flow with OAuth ?
>>
> I'm presuming you are referring to this OAuth 2.0 authorization grant
> type:
> http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.3.4
>
> The closest we can offer as part of our OAuth 1.0 impl is this:
> http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-2legOAuthFlow
>
> Note, in OAuth 2.0 the id+password pair gets exchanged for an access
> token first which at the surface at least appears to be a redundant
> operation given that the end user has already authorized the
> third-party apps to access some given resources without the explicit
> authorization, so one extra call for a 3rd party consumer. May be they
> did it for OAuth filters to always expect an access token and also
> manage the refresh tokens, they must've had a good reason for that...
>
> We can easily update AuthorizationRequestService impl to issue Access
> tokens in such cases in scope of OAuth 1.0, though it does semm
> redundant in scope of 1.0
>
> Sergey
>
>
>
>>
>> regards
>> Ramesh
>>
>
Thanks Sergey,
I was thinking the grant type in section 1.3.4 was a better approach
because we are only focusing on few trusted clients. But now I get the
point.
Two-legged OAuth 1.0 flow provided should be the right approach.
regards,
Ramesh
Re: OAuth with CXF 2.5.0
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 14/11/11 13:40, ramesh wrote:
> I was wondering if it is possible to implement *OAuth 2.0 username and
> password flow* *styled* security using the new CXF 2.5.0 OAuth
> implementation.
> If yes what would be the flow with OAuth ?
>
I'm presuming you are referring to this OAuth 2.0 authorization grant type:
http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.3.4
The closest we can offer as part of our OAuth 1.0 impl is this:
http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-2legOAuthFlow
Note, in OAuth 2.0 the id+password pair gets exchanged for an access
token first which at the surface at least appears to be a redundant
operation given that the end user has already authorized the third-party
apps to access some given resources without the explicit authorization,
so one extra call for a 3rd party consumer. May be they did it for OAuth
filters to always expect an access token and also manage the refresh
tokens, they must've had a good reason for that...
We can easily update AuthorizationRequestService impl to issue Access
tokens in such cases in scope of OAuth 1.0, though it does semm
redundant in scope of 1.0
Sergey
>
> regards
> Ramesh
>