You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Evgeni Kisel (JIRA)" <ji...@apache.org> on 2012/08/20 10:16:38 UTC
[jira] [Created] (CXF-4478) [OAuth1.0] RequestTokenHandler doesn't
support custom input parameters
Evgeni Kisel created CXF-4478:
---------------------------------
Summary: [OAuth1.0] RequestTokenHandler doesn't support custom input parameters
Key: CXF-4478
URL: https://issues.apache.org/jira/browse/CXF-4478
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 2.6.1
Reporter: Evgeni Kisel
According to the spec custom parameters can be added but currnnelty it's impossible to use them because:
1. there are no hooks in the handle class to be overridden.
2. RequestTokenRegistration object doesn't contain a map with custom parameters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4478) [OAuth1.0] RequestTokenHandler
doesn't support custom input parameters
Posted by "Evgeni Kisel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13500968#comment-13500968 ]
Evgeni Kisel commented on CXF-4478:
-----------------------------------
Hi,
For example customizing 3-legged scenario for mobile purpose (for example sending device id and receiving activation code). In this case additional custom input parameter should be used and also custom output parameter.
Best Regards,
Evgeni
> [OAuth1.0] RequestTokenHandler doesn't support custom input parameters
> ----------------------------------------------------------------------
>
> Key: CXF-4478
> URL: https://issues.apache.org/jira/browse/CXF-4478
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
>
> According to the spec custom parameters can be added but currnnelty it's impossible to use them because:
> 1. there are no hooks in the handle class to be overridden.
> 2. RequestTokenRegistration object doesn't contain a map with custom parameters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4478) [OAuth1.0] RequestTokenHandler
doesn't support custom input parameters
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13500999#comment-13500999 ]
Sergey Beryozkin commented on CXF-4478:
---------------------------------------
I'm presuming the custom output parameter will have to be returned alongside the access token key, right ?
> [OAuth1.0] RequestTokenHandler doesn't support custom input parameters
> ----------------------------------------------------------------------
>
> Key: CXF-4478
> URL: https://issues.apache.org/jira/browse/CXF-4478
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
>
> According to the spec custom parameters can be added but currnnelty it's impossible to use them because:
> 1. there are no hooks in the handle class to be overridden.
> 2. RequestTokenRegistration object doesn't contain a map with custom parameters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4478) [OAuth1.0] RequestTokenHandler
doesn't support custom input parameters
Posted by "Evgeni Kisel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13503804#comment-13503804 ]
Evgeni Kisel commented on CXF-4478:
-----------------------------------
OAuth 1.0 must be used because it's more secure and have finalized signed-off documentation.
> I'd like to understand the flow better. Does it implies the use "oob" ?
It can be for oob cases and for non-oob as well.
> Please prototype the example: basically I need to see when a custom parameter is reported back, I'm assuming it has to be done after the user has authorized the client, but the question is, does it have to reported back as part of "oob" response, or after the client requests the access token.
It doesn't matter which step. Each step should support customizing. Developers should be able to add their own custom input and output parameters and handle them appropriately.
> [OAuth1.0] RequestTokenHandler doesn't support custom input parameters
> ----------------------------------------------------------------------
>
> Key: CXF-4478
> URL: https://issues.apache.org/jira/browse/CXF-4478
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
>
> According to the spec custom parameters can be added but currnnelty it's impossible to use them because:
> 1. there are no hooks in the handle class to be overridden.
> 2. RequestTokenRegistration object doesn't contain a map with custom parameters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4478) [OAuth1.0] RequestTokenHandler
doesn't support custom input parameters
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507288#comment-13507288 ]
Sergey Beryozkin commented on CXF-4478:
---------------------------------------
Let me try it differently. I'm OK with getting 1.0 code extended to support custom parameters. But I need to see the actual use (with some basic example) of these custom parameters across all the 3-leg flow because it will affect the way the code might get enhanced.
If you really need this extension then please simply type here a sample flow, the way you envisage it working for your own application.
Example, "1. client requests RT and includes a custom parameter 2. it gets a RT key back 3. redirects the user 4. gets the RT token verifier back 5. exchanges RT for AT 6. uses AT to access a protected resource". I need to see at which steps (2-6) the custom parameter submitted at step 1 is used.
> [OAuth1.0] RequestTokenHandler doesn't support custom input parameters
> ----------------------------------------------------------------------
>
> Key: CXF-4478
> URL: https://issues.apache.org/jira/browse/CXF-4478
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
>
> According to the spec custom parameters can be added but currnnelty it's impossible to use them because:
> 1. there are no hooks in the handle class to be overridden.
> 2. RequestTokenRegistration object doesn't contain a map with custom parameters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4478) [OAuth1.0] RequestTokenHandler
doesn't support custom input parameters
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504060#comment-13504060 ]
Sergey Beryozkin commented on CXF-4478:
---------------------------------------
> OAuth 1.0 must be used because it's more secure and have finalized signed-off documentation.
Put it this way, I do not accept the statement is is more secure - but I agree it is secure and I'm also open to making it easier for developers who prefer to stay with OAuth 1.0 to get more advanced scenarios implemented.
If you prefer OAuth 1.0 then I'm fine with that.
Now to move next, I need to have a clear understanding of the scenario you have in mind. It does matter how the parameters are managed, whether they have to be shared between request & access tokens, and whether the client is expected to provide the additional parameters during accessing the protected resource or not, because if yes then it means we need to make sure the custom parameters are taking into the consideration during the signature validation.
So, give me a clear example and we will proceed from there
> [OAuth1.0] RequestTokenHandler doesn't support custom input parameters
> ----------------------------------------------------------------------
>
> Key: CXF-4478
> URL: https://issues.apache.org/jira/browse/CXF-4478
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
>
> According to the spec custom parameters can be added but currnnelty it's impossible to use them because:
> 1. there are no hooks in the handle class to be overridden.
> 2. RequestTokenRegistration object doesn't contain a map with custom parameters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4478) [OAuth1.0] RequestTokenHandler
doesn't support custom input parameters
Posted by "Evgeni Kisel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13501102#comment-13501102 ]
Evgeni Kisel commented on CXF-4478:
-----------------------------------
The initial idea is to provide "hook" for developers for customizing list of input and output parameters for each step of oauth handshake.
> [OAuth1.0] RequestTokenHandler doesn't support custom input parameters
> ----------------------------------------------------------------------
>
> Key: CXF-4478
> URL: https://issues.apache.org/jira/browse/CXF-4478
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
>
> According to the spec custom parameters can be added but currnnelty it's impossible to use them because:
> 1. there are no hooks in the handle class to be overridden.
> 2. RequestTokenRegistration object doesn't contain a map with custom parameters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4478) [OAuth1.0] RequestTokenHandler
doesn't support custom input parameters
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13501344#comment-13501344 ]
Sergey Beryozkin commented on CXF-4478:
---------------------------------------
OK, let me ask few questions.
How important it is for you to use OAuth 1.0 ? Would OAuth 2.0 work for you instead ?
Next, lets assume it has to be OAuth 1.0 in your case.
I'd like to understand the flow better. Does it implies the use "oob" ?
Please prototype the example: basically I need to see when a custom parameter is reported back, I'm assuming it has to be done after the user has authorized the client, but the question is, does it have to reported back as part of "oob" response, or after the client requests the access token.
> [OAuth1.0] RequestTokenHandler doesn't support custom input parameters
> ----------------------------------------------------------------------
>
> Key: CXF-4478
> URL: https://issues.apache.org/jira/browse/CXF-4478
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
>
> According to the spec custom parameters can be added but currnnelty it's impossible to use them because:
> 1. there are no hooks in the handle class to be overridden.
> 2. RequestTokenRegistration object doesn't contain a map with custom parameters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira