You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2016/11/16 23:04:58 UTC

[jira] [Commented] (CXF-7137) Allow OAuth2 customization via Swagger2Feature

    [ https://issues.apache.org/jira/browse/CXF-7137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15671997#comment-15671997 ] 

Sergey Beryozkin commented on CXF-7137:
---------------------------------------

Hi, as far as I'm aware, a client secret is only issued by Authorization Service only after the successful client registration, with a (confidential web server) client keeping it private and only using when talking to AccessTokenService.
I don't understand why would this client make this secret visible as part of its Swagger API Docs - that would a security leak.

Can you explain please how does it work ?
Thanks

> Allow OAuth2 customization via Swagger2Feature
> ----------------------------------------------
>
>                 Key: CXF-7137
>                 URL: https://issues.apache.org/jira/browse/CXF-7137
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS
>    Affects Versions: 3.1.8
>            Reporter: Alexander K.
>
> It seems that there is no way to customize initOAuth() details like clientId, clientSecret, realm, appName, etc. for SwaggerUI-OAuth integration. This will allow Swagger-UI authorization for protected CXF REST services by an authorization server such as Keycloak.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)