You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Steven Tippetts (JIRA)" <ji...@apache.org> on 2012/12/03 20:11:58 UTC
[jira] [Created] (CXF-4671) [OAuth2] Add option to not have user
intervention
Steven Tippetts created CXF-4671:
------------------------------------
Summary: [OAuth2] Add option to not have user intervention
Key: CXF-4671
URL: https://issues.apache.org/jira/browse/CXF-4671
Project: CXF
Issue Type: Wish
Components: JAX-RS Security
Affects Versions: 2.7.0
Reporter: Steven Tippetts
I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part.
Currently, I'm extending RedirectionBasedGrantService and overriding startAuthorization like this:
{code}
@Override
protected Response startAuthorization(MultivaluedMap<String, String> params) {
super.startAuthorization(params);
HttpSession session = getMessageContext().getHttpServletRequest().getSession();
String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
params.add("session_authenticity_token", sessionToken);
params.add("oauthDecision", "allow");
return super.completeAuthorization(params);
}
{code}
This works ok for me, but it would be nice if it were a part of the library.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4671) [OAuth2] Add option to not have user
intervention
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509911#comment-13509911 ]
Steven Tippetts commented on CXF-4671:
--------------------------------------
Sergey, thank you for your feedback. I'm not able to use the client credentials grant because my client is public and I need the implicit flow. However, I can use pre-authorized tokens. Thank you for suggesting that. In order to get the pre-authorized tokens working I need a change to the code. I'll create another issue for that change. This issue can be closed.
> [OAuth2] Add option to not have user intervention
> -------------------------------------------------
>
> Key: CXF-4671
> URL: https://issues.apache.org/jira/browse/CXF-4671
> Project: CXF
> Issue Type: Wish
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part.
> Currently, I'm extending RedirectionBasedGrantService and overriding startAuthorization like this:
> {code}
> @Override
> protected Response startAuthorization(MultivaluedMap<String, String> params) {
> super.startAuthorization(params);
> HttpSession session = getMessageContext().getHttpServletRequest().getSession();
> String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
> params.add("session_authenticity_token", sessionToken);
> params.add("oauthDecision", "allow");
> return super.completeAuthorization(params);
> }
> {code}
> This works ok for me, but it would be nice if it were a part of the library.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4671) [OAuth2] Add option to not have user
intervention
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin resolved CXF-4671.
-----------------------------------
Resolution: Won't Fix
Assignee: Sergey Beryozkin
We've agreed to explore the pre-authorized token option
> [OAuth2] Add option to not have user intervention
> -------------------------------------------------
>
> Key: CXF-4671
> URL: https://issues.apache.org/jira/browse/CXF-4671
> Project: CXF
> Issue Type: Wish
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
> Assignee: Sergey Beryozkin
>
> I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part.
> Currently, I'm extending RedirectionBasedGrantService and overriding startAuthorization like this:
> {code}
> @Override
> protected Response startAuthorization(MultivaluedMap<String, String> params) {
> super.startAuthorization(params);
> HttpSession session = getMessageContext().getHttpServletRequest().getSession();
> String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
> params.add("session_authenticity_token", sessionToken);
> params.add("oauthDecision", "allow");
> return super.completeAuthorization(params);
> }
> {code}
> This works ok for me, but it would be nice if it were a part of the library.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4671) [OAuth2] Add option to not have user
intervention
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13508965#comment-13508965 ]
Steven Tippetts commented on CXF-4671:
--------------------------------------
I also added a snippet of code in my convertScopeToPermissions method of my ImplicitDataProvider object to check the requested scopes against a collection of allowed scopes that I store on a per client basis by overriding the Client object and adding an allowedScopes property.
Although, as I look now at the code, I could probably add scope + "_status" parameters of the allowed scopes prior to the call to super.completeAuthorization(params) and remove the check in convertScopeToPermissions.
> [OAuth2] Add option to not have user intervention
> -------------------------------------------------
>
> Key: CXF-4671
> URL: https://issues.apache.org/jira/browse/CXF-4671
> Project: CXF
> Issue Type: Wish
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part.
> Currently, I'm extending RedirectionBasedGrantService and overriding startAuthorization like this:
> {code}
> @Override
> protected Response startAuthorization(MultivaluedMap<String, String> params) {
> super.startAuthorization(params);
> HttpSession session = getMessageContext().getHttpServletRequest().getSession();
> String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
> params.add("session_authenticity_token", sessionToken);
> params.add("oauthDecision", "allow");
> return super.completeAuthorization(params);
> }
> {code}
> This works ok for me, but it would be nice if it were a part of the library.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4671) [OAuth2] Add option to not have user
intervention
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509698#comment-13509698 ]
Sergey Beryozkin commented on CXF-4671:
---------------------------------------
Let me also ask - is client acting effectively as the end user ? If it is the same entity then may be it is the client credentials grant which has to be used ?
> [OAuth2] Add option to not have user intervention
> -------------------------------------------------
>
> Key: CXF-4671
> URL: https://issues.apache.org/jira/browse/CXF-4671
> Project: CXF
> Issue Type: Wish
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part.
> Currently, I'm extending RedirectionBasedGrantService and overriding startAuthorization like this:
> {code}
> @Override
> protected Response startAuthorization(MultivaluedMap<String, String> params) {
> super.startAuthorization(params);
> HttpSession session = getMessageContext().getHttpServletRequest().getSession();
> String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
> params.add("session_authenticity_token", sessionToken);
> params.add("oauthDecision", "allow");
> return super.completeAuthorization(params);
> }
> {code}
> This works ok for me, but it would be nice if it were a part of the library.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4671) [OAuth2] Add option to not have user
intervention
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509670#comment-13509670 ]
Sergey Beryozkin commented on CXF-4671:
---------------------------------------
At the library level this is supported by the use of pre-authorized tokens - why can't you use it ?
> [OAuth2] Add option to not have user intervention
> -------------------------------------------------
>
> Key: CXF-4671
> URL: https://issues.apache.org/jira/browse/CXF-4671
> Project: CXF
> Issue Type: Wish
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part.
> Currently, I'm extending RedirectionBasedGrantService and overriding startAuthorization like this:
> {code}
> @Override
> protected Response startAuthorization(MultivaluedMap<String, String> params) {
> super.startAuthorization(params);
> HttpSession session = getMessageContext().getHttpServletRequest().getSession();
> String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
> params.add("session_authenticity_token", sessionToken);
> params.add("oauthDecision", "allow");
> return super.completeAuthorization(params);
> }
> {code}
> This works ok for me, but it would be nice if it were a part of the library.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira