You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Steven Tippetts (JIRA)" <ji...@apache.org> on 2012/12/04 19:22:58 UTC
[jira] [Created] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Steven Tippetts created CXF-4673:
------------------------------------
Summary: [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
Key: CXF-4673
URL: https://issues.apache.org/jira/browse/CXF-4673
Project: CXF
Issue Type: Improvement
Components: JAX-RS Security
Affects Versions: 2.7.0
Reporter: Steven Tippetts
When using pre-authorized tokens I need the requested scope to be able to create the token. Please change the OAuthDataProvider interface to include:
ServerAccessToken getPreauthorizedToken(Client client,
UserSubject subject,
String grantType,
List<String> requestedScope)
throws OAuthServiceException;
And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510149#comment-13510149 ]
Steven Tippetts commented on CXF-4673:
--------------------------------------
This is a different use than what you describe; but it isn't something that is against the OAuth specification. Also, the change would be minimal since both calls to getPreauthorizedToken have requestedScope available and can just be added as a parameter. It is also a natural parameter because the ServerAccessToken has a property for it already, so it makes sense to pass it in so it can be used if needed. Adding this just makes your implementation more robust.
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> When using pre-authorized tokens I need the requested scope to be able to create the token.
> Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> Thanks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steven Tippetts updated CXF-4673:
---------------------------------
Description:
When using pre-authorized tokens I need the requested scope to be able to create the token. Please change the OAuthDataProvider interface to include:
{code}
ServerAccessToken getPreauthorizedToken(Client client,
UserSubject subject,
String grantType,
List<String> requestedScope)
throws OAuthServiceException;
{code}
And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
was:
When using pre-authorized tokens I need the requested scope to be able to create the token. Please change the OAuthDataProvider interface to include:
ServerAccessToken getPreauthorizedToken(Client client,
UserSubject subject,
String grantType,
List<String> requestedScope)
throws OAuthServiceException;
And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> When using pre-authorized tokens I need the requested scope to be able to create the token. Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510529#comment-13510529 ]
Steven Tippetts commented on CXF-4673:
--------------------------------------
Thank you. By the way, in the method convertScopeToPermissions in my OAuthDataProvider object, I filter out any of the requested scopes that are not in my list of approved scopes from my pre-registered clients. This way the client doesn't get more permissions than they are approved for and they also only get the permissions they ask for.
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
> Assignee: Sergey Beryozkin
> Fix For: 2.6.4, 2.7.1
>
>
> When using pre-authorized tokens I need the requested scope to be able to create the token.
> Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> Thanks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510448#comment-13510448 ]
Sergey Beryozkin commented on CXF-4673:
---------------------------------------
Well, I'm going ahead with this update :-) What made me change my mind was that I realized that the refresh token grant handler is not complete in that it is not capable of passing the requested scope (if it is available) to the refreshToken method which is important for supporting client-driven down-scoping requests. I can imagine the same may be useful for the case where a pre-authorized token is available - where the provider can basically 'clone' the token and limit the original scope, etc.
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> When using pre-authorized tokens I need the requested scope to be able to create the token.
> Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> Thanks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510074#comment-13510074 ]
Sergey Beryozkin commented on CXF-4673:
---------------------------------------
I've asked for some clarifications on it...
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> When using pre-authorized tokens I need the requested scope to be able to create the token.
> Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> Thanks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin resolved CXF-4673.
-----------------------------------
Resolution: Fixed
Fix Version/s: 2.7.1
2.6.4
Assignee: Sergey Beryozkin
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
> Assignee: Sergey Beryozkin
> Fix For: 2.6.4, 2.7.1
>
>
> When using pre-authorized tokens I need the requested scope to be able to create the token.
> Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> Thanks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steven Tippetts updated CXF-4673:
---------------------------------
Description:
When using pre-authorized tokens I need the requested scope to be able to create the token.
Please change the OAuthDataProvider interface to include:
{code}
ServerAccessToken getPreauthorizedToken(Client client,
UserSubject subject,
String grantType,
List<String> requestedScope)
throws OAuthServiceException;
{code}
And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
Thanks.
was:
When using pre-authorized tokens I need the requested scope to be able to create the token. Please change the OAuthDataProvider interface to include:
{code}
ServerAccessToken getPreauthorizedToken(Client client,
UserSubject subject,
String grantType,
List<String> requestedScope)
throws OAuthServiceException;
{code}
And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> When using pre-authorized tokens I need the requested scope to be able to create the token.
> Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> Thanks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510432#comment-13510432 ]
Sergey Beryozkin commented on CXF-4673:
---------------------------------------
IMHO if a client is allowed to bypass the end user authorization by utilizing a pre-authorized token then having the client effectively overriding what this token allows the client to do (re scopes) is a security concern...
ServerAccessToken only has a list of effective scopes which in case of the redirection flows is what the provider thought was the combination of the original client scopes and those actually approved by the user as provided by AccessTokenRegistration.
So if a pre-authorized ServerAccessToken is available - it already has the effective scope/permissions
See what I mean ?
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> When using pre-authorized tokens I need the requested scope to be able to create the token.
> Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> Thanks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4673) [OAuth2] Add requestedScope as a
parameter to getPreauthorizedToken
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510065#comment-13510065 ]
Sergey Beryozkin commented on CXF-4673:
---------------------------------------
Not sure about it either :-). I guess the idea with using the pre-authorized tokens (which I implemented based on the comments I saw at the oauth2 list) in general in that the resource owner works with a dedicated UI which allows the end user to select which registered clients can be allocated a pre-authorized token (or this can be done somehow differently) - this token will have its properties set, that is the client requested scope if any is basically ignored; the requested scope is only useful when the token is created right now, for the provider to compare the requested scope and the approved scope; with the preauthorized token whatever the user pre-authorized is then set in stone until the user decides to revoke it, change it, etc...
Does it sound reasonable to you ?
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> When using pre-authorized tokens I need the requested scope to be able to create the token.
> Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to pass the requestedScope variable in to getPreauthorizedToken.
> Thanks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira