You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by ramesh <my...@gmail.com> on 2011/11/14 14:40:45 UTC

OAuth with CXF 2.5.0

I was wondering if it is possible to implement *OAuth 2.0 username and 
password flow* *styled* security using the new CXF 2.5.0 OAuth 
implementation.
If yes what would be the flow with OAuth ?


regards
Ramesh

Re: OAuth with CXF 2.5.0

Posted by ramesh <my...@gmail.com>.

On 11/14/2011 09:50 AM, Sergey Beryozkin wrote:
> On 14/11/11 13:40, ramesh wrote:
>> I was wondering if it is possible to implement *OAuth 2.0 username and
>> password flow* *styled* security using the new CXF 2.5.0 OAuth
>> implementation.
>> If yes what would be the flow with OAuth ?
>>
> I'm presuming you are referring to this OAuth 2.0 authorization grant 
> type:
> http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.3.4
>
> The closest we can offer as part of our OAuth 1.0 impl is this:
> http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-2legOAuthFlow
>
> Note, in OAuth 2.0 the id+password pair gets exchanged for an access 
> token first which at the surface at least appears to be a redundant 
> operation given that the end user has already authorized the 
> third-party apps to access some given resources without the explicit 
> authorization, so one extra call for a 3rd party consumer. May be they 
> did it for OAuth filters to always expect an access token and also 
> manage the refresh tokens, they must've had a good reason for that...
>
> We can easily update AuthorizationRequestService impl to issue Access 
> tokens in such cases in scope of OAuth 1.0, though it does semm 
> redundant in scope of 1.0
>
> Sergey
>
>
>
>>
>> regards
>> Ramesh
>>
>
Thanks Sergey,

  I was thinking the grant type in section 1.3.4 was a better approach 
because we are only focusing on few trusted clients. But now I get the 
point.
Two-legged OAuth 1.0 flow provided should be the right approach.

regards,
Ramesh

Re: OAuth with CXF 2.5.0

Posted by Sergey Beryozkin <sb...@gmail.com>.

On 14/11/11 13:40, ramesh wrote:
> I was wondering if it is possible to implement *OAuth 2.0 username and
> password flow* *styled* security using the new CXF 2.5.0 OAuth
> implementation.
> If yes what would be the flow with OAuth ?
>
I'm presuming you are referring to this OAuth 2.0 authorization grant type:
http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.3.4

The closest we can offer as part of our OAuth 1.0 impl is this:
http://cxf.apache.org/docs/jax-rs-oauth.html#JAX-RSOAuth-2legOAuthFlow

Note, in OAuth 2.0 the id+password pair gets exchanged for an access 
token first which at the surface at least appears to be a redundant 
operation given that the end user has already authorized the third-party 
apps to access some given resources without the explicit authorization, 
so one extra call for a 3rd party consumer. May be they did it for OAuth 
filters to always expect an access token and also manage the refresh 
tokens, they must've had a good reason for that...

We can easily update AuthorizationRequestService impl to issue Access 
tokens in such cases in scope of OAuth 1.0, though it does semm 
redundant in scope of 1.0

Sergey

>
> regards
> Ramesh
>