You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2013/12/19 17:43:23 UTC
svn commit: r891058 [17/31] - in /websites/production/cxf/content: ./
2008/04/28/ 2008/06/20/ 2009/02/10/ 2009/08/04/ cache/ docs/
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu Dec 19 16:43:08 2013
@@ -99,13 +99,7 @@ Apache CXF -- JAX-RS OAuth2
<div id="wrapper-menu-page-bottom">
<div id="menu-page">
<!-- NavigationBar -->
-<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape
="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul>
-
-
-<hr>
-<ul class="alternate"><li>Search<br clear="none">
-
-<form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
+<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape
="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
<div>
<input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
<input type="hidden" name="ie" value="UTF-8">
@@ -113,13 +107,7 @@ Apache CXF -- JAX-RS OAuth2
<input type="submit" name="sa" value="Search">
</div>
</form>
-<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script>
-</li></ul>
-
-
-<hr>
-<ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul>
-</div>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script><hr><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul></div>
<!-- NavigationBar -->
</div>
</div>
@@ -129,16 +117,13 @@ Apache CXF -- JAX-RS OAuth2
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold"> JAX-RS: OAuth2 </span></p><p></p>
-
-
-<style type="text/css">/*<![CDATA[*/
-div.rbtoc1387228362169 {padding: 0px;}
-div.rbtoc1387228362169 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1387228362169 li {margin-left: 0px;padding-left: 0px;}
+<div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1387471155027 {padding: 0px;}
+div.rbtoc1387471155027 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1387471155027 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style><div class="toc-macro rbtoc1387228362169">
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
+/*]]>*/</style></p><div class="toc-macro rbtoc1387471155027">
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-OOBResponse">OOB Response</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure code acquisition with redirect URI</a></li></ul>
@@ -155,94 +140,20 @@ div.rbtoc1387228362169 li {margin-left:
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul>
</li></ul>
-</div>
-
-<h1 id="JAX-RSOAuth2-Introduction">Introduction</h1>
-
-<p>CXF provides the implementation of <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc6749" rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect" href="jax-rs-oauth.html">JAX-RS OAuth</a> page for information about OAuth 1.0.</p>
-
-<p>Authorization Code, Implicit, Client Credentials, Resource Owner Password Credentials, Refresh Token and SAML2 Assertions grants are currently supported.</p>
-
-<p>Custom grant handlers can be registered.</p>
-
-<p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping end users (resource owners) authorize third-party providers to access their resources.</p>
-
-<p>The OAuth2 flow which is closely related to the original OAuth 1.0 3-leg flow is called Authorization Code and involves 3 parties: the end user, the third party service (client) and the resource server which is protected by OAuth2 filters. Typically a client offers a service feature that an end user requests and which requires the former to access one or more protected resources on behalf of this user which are located at the resource server. For example, the client may need to access the end user's photos in order to print them and post to the user or read and possibly update a user's calendar in order to make a booking.</p>
-
-<p>In order to make it happen, the third-party service application/client needs to register itself with the OAuth2 server. This happens out-of-band and after the registration the client gets back a client key and secret pair. Typically the client is expected to provide the name and description of the application, the application logo URI, one or more redirect URIs, and other information that may help the OAuth2 authorization server to identify this client to the end user at the authorization time. </p>
-
-<p>From then on, the authorization code flow works like this:<br clear="none">
-1. End User requests the third-party service using a browser.</p>
-
-<p>2. The client redirects the end user to OAuth2 Authorization Service, adding its client id, the state, redirect URI and the optional scope to the target URI. The state parameter represents the current end user's request, redirect URI - where the authorization code is expected to be returned to, and the scope is the list of opaque permissions that the client needs in order to access the protected resources.</p>
-
-<p>3. Authorization Service will retrieve the information about the client using its client id, build an HTML form and return it to the end user. The form will ask the user if a given third-party application can be allowed to access some resources on behalf of this user. </p>
-
-<p>4. If the user approves it then Authorization Service will generate an authorization code and redirect the user back to the redirect uri provided by the client, also adding a state parameter to the redirect URI. </p>
-
-<p>5. The client requests an access token from OAuth2 Access Token Service by providing an authorization code grant.</p>
-
-<p>6. After getting an access token token, the service finally proceeds with accessing the current user's resources and completes the user's request.</p>
-
-<p>As you can see the flow can be complex yet it is very effective. A number of issues may need to be taken care along the way such as managing expired tokens, making sure that the OAuth2 security layer is functioning properly and is not interfering with the end user itself trying to access its own resources, etc.</p>
-
-<p>Please check the <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-v2" rel="nofollow">specification</a> and the <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/OAuth#OAuth_2.0" rel="nofollow">Wikipedia article</a> as well as other resources available on the WEB for more information you may need to know about OAuth2. </p>
-
-<p>CXF JAX-RS gives the best effort to making this process as simple as possible and requiring only a minimum effort on behalf of OAuth2 server developers. It also offers the utility code for greatly simplifying the way the third-party application can interact with the OAuth2 service endpoints.</p>
-
-<h1 id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-<dependency>
+</div><h1 id="JAX-RSOAuth2-Introduction">Introduction</h1><p>CXF provides the implementation of <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc6749" rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect" href="jax-rs-oauth.html">JAX-RS OAuth</a> page for information about OAuth 1.0.</p><p>Authorization Code, Implicit, Client Credentials, Resource Owner Password Credentials, Refresh Token and SAML2 Assertions grants are currently supported.</p><p>Custom grant handlers can be registered.</p><p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping end users (resource owners) authorize third-party providers to access their resources.</p><p>The OAuth2 flow which is closely related to the original OAuth 1.0 3-leg flow is called Authorization Code and involves 3 parties: the end user, the third party service (client) and the resource server which is protected by OAuth2 filters. Typically a client offers a service feature that an
end user requests and which requires the former to access one or more protected resources on behalf of this user which are located at the resource server. For example, the client may need to access the end user's photos in order to print them and post to the user or read and possibly update a user's calendar in order to make a booking.</p><p>In order to make it happen, the third-party service application/client needs to register itself with the OAuth2 server. This happens out-of-band and after the registration the client gets back a client key and secret pair. Typically the client is expected to provide the name and description of the application, the application logo URI, one or more redirect URIs, and other information that may help the OAuth2 authorization server to identify this client to the end user at the authorization time.</p><p>From then on, the authorization code flow works like this:<br clear="none"> 1. End User requests the third-party service using a browser.</p><p>2.
The client redirects the end user to OAuth2 Authorization Service, adding its client id, the state, redirect URI and the optional scope to the target URI. The state parameter represents the current end user's request, redirect URI - where the authorization code is expected to be returned to, and the scope is the list of opaque permissions that the client needs in order to access the protected resources.</p><p>3. Authorization Service will retrieve the information about the client using its client id, build an HTML form and return it to the end user. The form will ask the user if a given third-party application can be allowed to access some resources on behalf of this user.</p><p>4. If the user approves it then Authorization Service will generate an authorization code and redirect the user back to the redirect uri provided by the client, also adding a state parameter to the redirect URI.</p><p>5. The client requests an access token from OAuth2 Access Token Service by providing an aut
horization code grant.</p><p>6. After getting an access token token, the service finally proceeds with accessing the current user's resources and completes the user's request.</p><p>As you can see the flow can be complex yet it is very effective. A number of issues may need to be taken care along the way such as managing expired tokens, making sure that the OAuth2 security layer is functioning properly and is not interfering with the end user itself trying to access its own resources, etc.</p><p>Please check the <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-v2" rel="nofollow">specification</a> and the <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/OAuth#OAuth_2.0" rel="nofollow">Wikipedia article</a> as well as other resources available on the WEB for more information you may need to know about OAuth2.</p><p>CXF JAX-RS gives the best effort to making this process as simple as possible and requiring only a minimum ef
fort on behalf of OAuth2 server developers. It also offers the utility code for greatly simplifying the way the third-party application can interact with the OAuth2 service endpoints.</p><h1 id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-oauth2</artifactId>
<version>2.7.5</version>
</dependency>
]]></script>
-</div></div>
-
-<h1 id="JAX-RSOAuth2-ClientRegistration">Client Registration</h1>
-
-<p>Client Registration is typically done out of band (OAuth2 experts are also finalizing the dynamic client registration).<br clear="none">
-The client registration service will offer an HTML form where the clients will enter their details, see a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a> bean for the currently supported properties. <br clear="none">
-Note CXF may offer an abstract client registration service in the future to minimize the effort to get the custom registration service created from scratch. </p>
-
-<h1 id="JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</h1>
-
-<p>OAuth2 server is the core piece of the complete OAuth2-based solution. Typically it contains 2 services for:<br clear="none">
-1. Authorizing request tokens by asking the end users to let clients access some of their resources and returning the<br clear="none">
- grants back to the client (Authorization Service)<br clear="none">
-2. Exchanging the token grants for access tokens (Access Token Service)</p>
-
-<p>CXF offers several JAX-RS service implementations that can be used to create the OAuth2 servers fast: <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a> and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a> for managing the redirection-based flows, as well as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java">AccessTokenService</a> for exchanging the grants for new tokens.</p>
-
-<p>Note that some grants that do not require the redirection-based support, such as SAML2 one, etc, may only require an Access Token Service be operational.</p>
-
-<p>All of these services rely on the custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a> which persists the access tokens and converts the opaque scope values to the information that can be presented to the users. Additionally, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a> is an OAuthDataProvider which can keep temporary information about the authorization code grants which needs to be removed after the tokens are requested in exchange.</p>
-
-<p>Writing your own OAuthDataProvider implementation is what is needed to get the OAuth2 server up and running. In many cases all you need to do is to persist or remove the Authorization Code Grant data, use one of the available utility classes to create a new access token and also persist it or remove the expired one, and finally convert the optional opaque scope values (if any are supported) to a more view-able information.</p>
-
-<h2 id="JAX-RSOAuth2-AuthorizationService">Authorization Service</h2>
-
-<p>The main responsibility of OAuth2 Authorization Service is to present an end user with a form asking the user to allow or deny the client accessing some of the user resources. CXF offers <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a> and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a> for accepting the redirection requests, challenging the end users with the authorization forms, handling the end user decisions and returning the results back to the clients. </p>
-
-<p>One of the differences between the AuthorizationCode and Implicit flows is that in the latter case the grant is the actual access token which is returned as the URI fragment value. The way the end user is asked to authorize the client request is similar between the two flows. In this section we will assume that the Authorization Code flow is being exercized.</p>
-
-<p>A third-party client redirects the current user to AuthorizationCodeGrantService, for example, here is how a redirection may happen:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-Response-Code: 303
+</div></div><h1 id="JAX-RSOAuth2-ClientRegistration">Client Registration</h1><p>Client Registration is typically done out of band (OAuth2 experts are also finalizing the dynamic client registration).<br clear="none"> The client registration service will offer an HTML form where the clients will enter their details, see a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a> bean for the currently supported properties. <br clear="none"> Note CXF may offer an abstract client registration service in the future to minimize the effort to get the custom registration service created from scratch.</p><h1 id="JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</h1><p>OAuth2 server is the core piece of the complete OAuth2-based solution. Typically it contains 2 services for:<br clear="none"> 1. Authorizing request tokens by asking the en
d users to let clients access some of their resources and returning the<br clear="none"> grants back to the client (Authorization Service)<br clear="none"> 2. Exchanging the token grants for access tokens (Access Token Service)</p><p>CXF offers several JAX-RS service implementations that can be used to create the OAuth2 servers fast: <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a> and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a> for managing the redirection-based flows, as well as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/m
ain/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java">AccessTokenService</a> for exchanging the grants for new tokens.</p><p>Note that some grants that do not require the redirection-based support, such as SAML2 one, etc, may only require an Access Token Service be operational.</p><p>All of these services rely on the custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a> which persists the access tokens and converts the opaque scope values to the information that can be presented to the users. Additionally, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a> is an OAuthDataProvider which can
keep temporary information about the authorization code grants which needs to be removed after the tokens are requested in exchange.</p><p>Writing your own OAuthDataProvider implementation is what is needed to get the OAuth2 server up and running. In many cases all you need to do is to persist or remove the Authorization Code Grant data, use one of the available utility classes to create a new access token and also persist it or remove the expired one, and finally convert the optional opaque scope values (if any are supported) to a more view-able information.</p><h2 id="JAX-RSOAuth2-AuthorizationService">Authorization Service</h2><p>The main responsibility of OAuth2 Authorization Service is to present an end user with a form asking the user to allow or deny the client accessing some of the user resources. CXF offers <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/
services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a> and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a> for accepting the redirection requests, challenging the end users with the authorization forms, handling the end user decisions and returning the results back to the clients.</p><p>One of the differences between the AuthorizationCode and Implicit flows is that in the latter case the grant is the actual access token which is returned as the URI fragment value. The way the end user is asked to authorize the client request is similar between the two flows. In this section we will assume that the Authorization Code flow is being exercized.</p><p>A third-party client redirects the current user to AuthorizationCodeGrantService, for example, here is how a redirection may happen:</p>
<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[Response-Code: 303
Headers: {Location=[http://localhost:8080/services/social/authorize?client_id=123456789&scope=updateCalendar-7&response_type=code&redirect_uri=http%3A//localhost%3A8080/services/reservations/reserve/complete&state=1], Date=[Thu, 12 Apr 2012 12:26:21 GMT], Content-Length=[0]}
]]></script>
-</div></div>
-
-<p>The client application asks the current user (the browser) to go to a new address provided by the Location header and the follow-up request to AuthorizationCodeGrantService will look like this:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-Address: http://localhost:8080/services/social/authorize?client_id=123456789&scope=updateCalendar-7&response_type=code&redirect_uri=http%3A//localhost%3A8080/services/reservations/reserve/complete&state=1
+</div></div><p>The client application asks the current user (the browser) to go to a new address provided by the Location header and the follow-up request to AuthorizationCodeGrantService will look like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[Address: http://localhost:8080/services/social/authorize?client_id=123456789&scope=updateCalendar-7&response_type=code&redirect_uri=http%3A//localhost%3A8080/services/reservations/reserve/complete&state=1
Http-Method: GET
Headers: {
Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],
@@ -252,45 +163,16 @@ Referer=[http://localhost:8080/services/
...
}
]]></script>
-</div></div>
-
-<p>Note that the end user needs to authenticate. The Request URI includes the client_id, custom scope value, response_type set to 'code', the current request state and the redirect uri. Note the scope is optional - the Authorization Service will usually allocate a default scope; however even if the client does include an additional custom scope the end user may still not approve it. The redirect uri is also optional, assuming one or more ones redirect URIs have been provided at the client registration time.</p>
-
-<p>AuthorizationCodeGrantService will report a warning is no secure HTTPS transport is used:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-12-Apr-2012 13:26:21 org.apache.cxf.rs.security.oauth2.services.AbstractOAuthService checkTransportSecurity
+</div></div><p>Note that the end user needs to authenticate. The Request URI includes the client_id, custom scope value, response_type set to 'code', the current request state and the redirect uri. Note the scope is optional - the Authorization Service will usually allocate a default scope; however even if the client does include an additional custom scope the end user may still not approve it. The redirect uri is also optional, assuming one or more ones redirect URIs have been provided at the client registration time.</p><p>AuthorizationCodeGrantService will report a warning is no secure HTTPS transport is used:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[12-Apr-2012 13:26:21 org.apache.cxf.rs.security.oauth2.services.AbstractOAuthService checkTransportSecurity
WARNING: Unsecure HTTP, Transport Layer Security is recommended
]]></script>
-</div></div>
-
-<p>It can also be configured to reject the requests over un-secure HTTP transport.</p>
-
-<p>AuthorizationCodeGrantService will retrieve the information about the <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">client application</a> to populate an instance of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a> bean and return it. OAuthAuthorizationData contains application name and URI properties, optional list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s and other properties which can be either presented to the user or kept in the hidden form fields in order to uniquely identify the actual
authorization request when the end user returns the decision. </p>
-
-<p>One important OAuthAuthorizationData property is "authenticityToken". It is used for validating that the current session has not been hijacked - AuthorizationCodeGrantService generates a random key, stores it in a Servlet HTTPSession instance and expects the returned authenticityToken value to match it - this is a recommended approach and it also implies that the authenticityToken value is hidden from a user, for example, it's kept in a 'hidden' form field. The other properties which are meant to be hidden are clientId, state, redirectUri, proposedScope.</p>
-
-<p>The helper "replyTo" property is an absolute URI identifying the AuthorizationCodeGrantService handler processing the user decision and can be used by view handlers when building the forms or by other OAuthAuthorizationData handlers.</p>
-
-<p>So the populated OAuthAuthorizationData is finally returned. Note that it's a JAXB XMLRootElement-annotated bean and can be processed by registered JAXB or JSON providers given that AuthorizationCodeGrantService supports producing "application/xml" and "application/json" (See the OAuth Without Browser section below for more). But in this case we have the end user working with a browser so an HTML form is what is really expected back.</p>
-
-<p>AuthorizationCodeGrantService supports producing "text/html" and simply relies on a registered <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider">RequestDispatcherProvider</a> to set the OAuthAuthorizationData bean as an HttpServletRequest attribute and redirect the response to a view handler (can be JSP or some other servlet) to actually build the form and return it to the user. Alternatively, registering <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-advanced-xml.html#JAX-RSAdvancedXML-XSLTsupport">XSLTJaxbProvider</a> would also be a good option for creating HTML views. </p>
-
-<p>Assuming RequestDispatcherProvider is used, the following example log shows the initial response from AuthorizationCodeGrantService:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-12-Apr-2012 13:26:21 org.apache.cxf.jaxrs.provider.RequestDispatcherProvider logRedirection
+</div></div><p>It can also be configured to reject the requests over un-secure HTTP transport.</p><p>AuthorizationCodeGrantService will retrieve the information about the <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">client application</a> to populate an instance of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a> bean and return it. OAuthAuthorizationData contains application name and URI properties, optional list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s and other properties which can be either
presented to the user or kept in the hidden form fields in order to uniquely identify the actual authorization request when the end user returns the decision.</p><p>One important OAuthAuthorizationData property is "authenticityToken". It is used for validating that the current session has not been hijacked - AuthorizationCodeGrantService generates a random key, stores it in a Servlet HTTPSession instance and expects the returned authenticityToken value to match it - this is a recommended approach and it also implies that the authenticityToken value is hidden from a user, for example, it's kept in a 'hidden' form field. The other properties which are meant to be hidden are clientId, state, redirectUri, proposedScope.</p><p>The helper "replyTo" property is an absolute URI identifying the AuthorizationCodeGrantService handler processing the user decision and can be used by view handlers when building the forms or by other OAuthAuthorizationData handlers.</p><p>So the populated OAuthAu
thorizationData is finally returned. Note that it's a JAXB XMLRootElement-annotated bean and can be processed by registered JAXB or JSON providers given that AuthorizationCodeGrantService supports producing "application/xml" and "application/json" (See the OAuth Without Browser section below for more). But in this case we have the end user working with a browser so an HTML form is what is really expected back.</p><p>AuthorizationCodeGrantService supports producing "text/html" and simply relies on a registered <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider">RequestDispatcherProvider</a> to set the OAuthAuthorizationData bean as an HttpServletRequest attribute and redirect the response to a view handler (can be JSP or some other servlet) to actually build the form and return it to the user. Alternatively, registering <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-advanced-xml.html#JAX-RSAdvancedXML-XSLT
support">XSLTJaxbProvider</a> would also be a good option for creating HTML views.</p><p>Assuming RequestDispatcherProvider is used, the following example log shows the initial response from AuthorizationCodeGrantService:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[12-Apr-2012 13:26:21 org.apache.cxf.jaxrs.provider.RequestDispatcherProvider logRedirection
INFO: Setting an instance of "org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData" as HttpServletRequest attribute "data" and redirecting the response to "/forms/oauthAuthorize.jsp".
]]></script>
-</div></div>
-
-<p>Note that a "/forms/oauthAuthorize.jsp" view handler will create an HTML view - this is a custom JSP handler and whatever HTML view is required can be created there, using the OAuthAuthorizationData bean for building the view. Most likely you will want to present a form asking the user to allow or deny the client accessing some of this user's resources. If OAuthAuthorizationData has a list of Permissions set then adding the information about the permissions is needed.</p>
-
-<p>Next the user makes a decision and selects a button allowing or denying the client accessing the resources. The form data are submitted to AuthorizationCodeGrantService: </p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-Address: http://localhost:8080/services/social/authorize/decision
+</div></div><p>Note that a "/forms/oauthAuthorize.jsp" view handler will create an HTML view - this is a custom JSP handler and whatever HTML view is required can be created there, using the OAuthAuthorizationData bean for building the view. Most likely you will want to present a form asking the user to allow or deny the client accessing some of this user's resources. If OAuthAuthorizationData has a list of Permissions set then adding the information about the permissions is needed.</p><p>Next the user makes a decision and selects a button allowing or denying the client accessing the resources. The form data are submitted to AuthorizationCodeGrantService:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[Address: http://localhost:8080/services/social/authorize/decision
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/x-www-form-urlencoded
@@ -303,29 +185,15 @@ Content-Type=[application/x-www-form-url
12-Apr-2012 15:36:29 org.apache.cxf.jaxrs.utils.FormUtils logRequestParametersIfNeeded
INFO: updateCalendar-7_status=allow&readCalendar_status=allow&scope=updateCalendar-7+readCalendar&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete&session_authenticity_token=4f0005d9-565f-4309-8ffb-c13c72139ebe&oauthDecision=allow&state=1&client_id=123456789
]]></script>
-</div></div>
-
-<p>AuthorizationCodeGrantService will use a 'session_authenticity_token' to validate that the session is valid and will process the user decision next. </p>
-
-<p>If the decision is "allow" then it will check the status of the individual scope values. It relies on the "scopename_status" convention, if the form has offered the user a chance to selectively enable individual scopes then name/value pairs such as "updateCalendar-7_status=allow" are submitted. If none of such pairs is coming back then it means the user has approved all the default and additional (if any) scopes.</p>
-
-<p>Next it will ask OAuthDataProvider to generate an authorization code grant and return it alongside with the state if any by redirecting the current user back to the redirect URI:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-Response-Code: 303
+</div></div><p>AuthorizationCodeGrantService will use a 'session_authenticity_token' to validate that the session is valid and will process the user decision next.</p><p>If the decision is "allow" then it will check the status of the individual scope values. It relies on the "scopename_status" convention, if the form has offered the user a chance to selectively enable individual scopes then name/value pairs such as "updateCalendar-7_status=allow" are submitted. If none of such pairs is coming back then it means the user has approved all the default and additional (if any) scopes.</p><p>Next it will ask OAuthDataProvider to generate an authorization code grant and return it alongside with the state if any by redirecting the current user back to the redirect URI:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[Response-Code: 303
Headers: {
Location=[http://localhost:8080/services/reservations/reserve/complete?state=1&code=5c993144b910bccd5977131f7d2629ab],
Date=[Thu, 12 Apr 2012 14:36:29 GMT],
Content-Length=[0]}
]]></script>
-</div></div>
-
-<p>which leads to a browser redirecting the user:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-Address: http://localhost:8080/services/reservations/reserve/complete?state=1&code=5c993144b910bccd5977131f7d2629ab
+</div></div><p>which leads to a browser redirecting the user:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[Address: http://localhost:8080/services/reservations/reserve/complete?state=1&code=5c993144b910bccd5977131f7d2629ab
Http-Method: GET
Headers: {
Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],
@@ -333,50 +201,12 @@ Authorization=[Basic YmFycnlAcmVzdGF1cmF
Cookie=[JSESSIONID=1c289vha0cxfe],
}
]]></script>
-</div></div>
-
-<p>If a user decision was set to "deny" then the error will be returned to the client.</p>
-
-<p>Assuming the decision was "allow", the client has now received back the authorization code grant and is ready to exchange it for a new access token.</p>
-
-<h3 id="JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</h3>
-
-<p>You may want to display a resource owner/end user name in the authorization form this user will be facing, you can get org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider registered with either AuthorizationCodeGrantService or ImplicitGrantService.<br clear="none">
-org.apache.cxf.rs.security.oauth2.provider.DefaultResourceOwnerNameProvider, if registered, will return an actual login name, the custom implementations may choose to return a complete user name instead, etc. </p>
-
-<h3 id="JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices) </h3>
-
-<p>CXF 2.7.7 provides an initial support for public clients (such as various mobile devices).</p>
-
-<p>Client can be 'public' if it has been registered as a public client with no client secret the service itself has a "canSupportPublicClients" property enabled. The same property will also have to be enabled on AccessTokenService (described in the next section) for a public client without a secret be able to exchange a code grant for an access token.</p>
-
-<h4 id="JAX-RSOAuth2-OOBResponse">OOB Response</h4>
-
-<p>If a public client has not registered a redirect URI with the Authorization service then the authorization code can be returned out-of-band (OOB), see <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java">OOBAuthorizationResponse</a> bean. By default, it is returned directly to the end user, unless a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OOBResponseDeliverer.java">OOBResponseDeliverer</a> is registered with AuthorizationCodeGrantService which may deliver it to the client via some custom back channel. </p>
-
-<p>Having OOB responses supported is useful when a public client (typically a device which can not keep the client secrets and where no redirect URI is supported) needs to get a code grant. What will happen is that a device owner will send a request to Authorization Service which may look like this:</p>
-<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
+</div></div><p>If a user decision was set to "deny" then the error will be returned to the client.</p><p>Assuming the decision was "allow", the client has now received back the authorization code grant and is ready to exchange it for a new access token.</p><h3 id="JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</h3><p>You may want to display a resource owner/end user name in the authorization form this user will be facing, you can get org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider registered with either AuthorizationCodeGrantService or ImplicitGrantService.<br clear="none"> org.apache.cxf.rs.security.oauth2.provider.DefaultResourceOwnerNameProvider, if registered, will return an actual login name, the custom implementations may choose to return a complete user name instead, etc.</p><h3 id="JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</h3><p>CXF 2.7.7 provides an initial support for public clients (such as various
mobile devices).</p><p>Client can be 'public' if it has been registered as a public client with no client secret the service itself has a "canSupportPublicClients" property enabled. The same property will also have to be enabled on AccessTokenService (described in the next section) for a public client without a secret be able to exchange a code grant for an access token.</p><h4 id="JAX-RSOAuth2-OOBResponse">OOB Response</h4><p>If a public client has not registered a redirect URI with the Authorization service then the authorization code can be returned out-of-band (OOB), see <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java">OOBAuthorizationResponse</a> bean. By default, it is returned directly to the end user, unless a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oa
uth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OOBResponseDeliverer.java">OOBResponseDeliverer</a> is registered with AuthorizationCodeGrantService which may deliver it to the client via some custom back channel.</p><p>Having OOB responses supported is useful when a public client (typically a device which can not keep the client secrets and where no redirect URI is supported) needs to get a code grant. What will happen is that a device owner will send a request to Authorization Service which may look like this:</p><div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>GET
http://localhost:8080/services/social/authorize?client_id=mobileClient&response_type=code
</pre>
-</div></div>
-
-<p>Assuming the 'mobileClient' has been registered as public one with no secret and the service has been set up to support such clients, the end user will get a chance to authorize this client the same way it can do confidential clients, and after this user gets back a code (delivered directly in the response HTML page by default) the user will enter the code securely into the device which will then replace it for a time-scoped access token by contacting AccessTokenService. </p>
-
-<h4 id="JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure code acquisition with redirect URI</h4>
-
-<p>The following <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01" rel="nofollow">extension</a> is supported to help public clients with redirect URIs to accept the code securely.<br clear="none">
-Note this extension will likely introduce the HMAC calculation in the next drafts, but the current approach can already help. </p>
-
-
-<h2 id="JAX-RSOAuth2-AccessTokenService">AccessTokenService </h2>
-
-<p>The role of AccessTokenService is to exchange a token grant for a new access token which will be used by the client to access the end user's resources. <br clear="none">
-Here is an example request log:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-Address: http://localhost:8080/services/oauth/token
+</div></div><p>Assuming the 'mobileClient' has been registered as public one with no secret and the service has been set up to support such clients, the end user will get a chance to authorize this client the same way it can do confidential clients, and after this user gets back a code (delivered directly in the response HTML page by default) the user will enter the code securely into the device which will then replace it for a time-scoped access token by contacting AccessTokenService.</p><h4 id="JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure code acquisition with redirect URI</h4><p>The following <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01" rel="nofollow">extension</a> is supported to help public clients with redirect URIs to accept the code securely.<br clear="none"> Note this extension will likely introduce the HMAC calculation in the next drafts, but the current approach can already help.</p><h2 id="JAX-RSOAuth2-
AccessTokenService">AccessTokenService</h2><p>The role of AccessTokenService is to exchange a token grant for a new access token which will be used by the client to access the end user's resources. <br clear="none"> Here is an example request log:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[Address: http://localhost:8080/services/oauth/token
Http-Method: POST
Headers: {
@@ -388,22 +218,8 @@ Payload:
grant_type=authorization_code&code=5c993144b910bccd5977131f7d2629ab&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete
]]></script>
-</div></div>
-
-<p>This request contains a client_id and client_secret (Authorization header), the grant_type, the grant value (code)<br clear="none">
-plus the redirect URI the authorization grant was returned to which is needed for the additional validation.<br clear="none">
-Note that the alternative client authentication methods are also possible, in this case the token service will expect a mapping between the client credentials and the client_id representing the client registration available.</p>
-
-<p>After validating the request, the service will find a matching <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java">AccessTokenGrantHandler</a> and request to create a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java">ServerAccessToken</a> which is a server-side representation of the access token.<br clear="none">
-The grant handlers, such as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java">AuthorizationCodeGrantHandler</a> may delegate the creation of the actual access token to data providers, which may create Bearer or MAC tokens with the help of utility classes shipped with CXF or depend on other 3rd party token libraries.</p>
-
-<p>The data providers do not strictly required to persist the data such as access tokens, instead the token key may act as an encrypted bag capturing all the relevant information.</p>
-
-<p>Now that the token has been created, it is mapped by the service to a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java">client representation</a> and is returned back as a JSON payload:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-Response-Code: 200
+</div></div><p>This request contains a client_id and client_secret (Authorization header), the grant_type, the grant value (code)<br clear="none"> plus the redirect URI the authorization grant was returned to which is needed for the additional validation.<br clear="none"> Note that the alternative client authentication methods are also possible, in this case the token service will expect a mapping between the client credentials and the client_id representing the client registration available.</p><p>After validating the request, the service will find a matching <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java">AccessTokenGrantHandler</a> and request to create a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/c
ommon/ServerAccessToken.java">ServerAccessToken</a> which is a server-side representation of the access token.<br clear="none"> The grant handlers, such as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java">AuthorizationCodeGrantHandler</a> may delegate the creation of the actual access token to data providers, which may create Bearer or MAC tokens with the help of utility classes shipped with CXF or depend on other 3rd party token libraries.</p><p>The data providers do not strictly required to persist the data such as access tokens, instead the token key may act as an encrypted bag capturing all the relevant information.</p><p>Now that the token has been created, it is mapped by the service to a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/
main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java">client representation</a> and is returned back as a JSON payload:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[Response-Code: 200
Content-Type: application/json
Headers: {
Cache-Control=[no-store],
@@ -416,12 +232,8 @@ Payload:
{"access_token":"5b5c8e677413277c4bb8b740d522b378", "token_type":"bearer"}
]]></script>
-</div></div>
-
-<p>The client will use this access token to access the current user's resources in order to complete the original user's request, for example, the request to access a user's calendar may look like this:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-Address: http://localhost:8080/services/thirdPartyAccess/calendar
+</div></div><p>The client will use this access token to access the current user's resources in order to complete the original user's request, for example, the request to access a user's calendar may look like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[Address: http://localhost:8080/services/thirdPartyAccess/calendar
Http-Method: GET
Headers:
{
@@ -429,21 +241,8 @@ Headers:
Accept=[application/xml]
}
]]></script>
-</div></div>
-
-<p>Note that the access token key is passed as the Bearer scheme value. Other token types such as MAC ones, etc, can be represented differently.</p>
-
-<h3 id="JAX-RSOAuth2-AccessTokenTypes">Access Token Types</h3>
-
-<p>As mentioned above, AccessTokenService can work with whatever token is created by a given data provider. This section provides more information on how CXF may help with supporting Bearer and MAC tokens. </p>
-
-<h4 id="JAX-RSOAuth2-Bearer">Bearer</h4>
-
-<p>The following code fragment shows how a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/bearer/BearerAccessToken.java">BearerAccessToken</a> utility class can be used to create Bearer tokens:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
+</div></div><p>Note that the access token key is passed as the Bearer scheme value. Other token types such as MAC ones, etc, can be represented differently.</p><h3 id="JAX-RSOAuth2-AccessTokenTypes">Access Token Types</h3><p>As mentioned above, AccessTokenService can work with whatever token is created by a given data provider. This section provides more information on how CXF may help with supporting Bearer and MAC tokens.</p><h4 id="JAX-RSOAuth2-Bearer">Bearer</h4><p>The following code fragment shows how a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/bearer/BearerAccessToken.java">BearerAccessToken</a> utility class can be used to create Bearer tokens:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
@@ -467,20 +266,8 @@ public class CustomOAuthDataProvider imp
// other methods are not shown
}
]]></script>
-</div></div>
-
-<p>CustomOAuthDataProvider will also be asked by OAuthRequestFilter to validate the incoming Bearer tokens given that they typically act as database key or key alias, if no Bearer token validator is registered.</p>
-
-<h4 id="JAX-RSOAuth2-MAC">MAC</h4>
-
-<p>CXF 2.6.2 supports MAC tokens as specified in the latest <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01" rel="nofollow">MAC Access Authentication draft</a>. MAC tokens offer an option for clients to demonstrate they 'hold' the token secret issued to them by AccessTokenService.<br clear="none">
-It is recommended that AccessTokenService endpoint issuing MAC tokens enforces a two-way TLS for an extra protection of the MAC token data returned to clients.</p>
-
-<p>The following code fragment shows how a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/MacAccessToken.java">MacAccessToken</a> utility class can be used to create MAC tokens:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
+</div></div><p>CustomOAuthDataProvider will also be asked by OAuthRequestFilter to validate the incoming Bearer tokens given that they typically act as database key or key alias, if no Bearer token validator is registered.</p><h4 id="JAX-RSOAuth2-MAC">MAC</h4><p>CXF 2.6.2 supports MAC tokens as specified in the latest <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01" rel="nofollow">MAC Access Authentication draft</a>. MAC tokens offer an option for clients to demonstrate they 'hold' the token secret issued to them by AccessTokenService.<br clear="none"> It is recommended that AccessTokenService endpoint issuing MAC tokens enforces a two-way TLS for an extra protection of the MAC token data returned to clients.</p><p>The following code fragment shows how a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/m
ac/MacAccessToken.java">MacAccessToken</a> utility class can be used to create MAC tokens:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.tokens.mac.HmacAlgorithm;
import org.apache.cxf.rs.security.oauth2.tokens.mac.MacAccessToken;
@@ -504,13 +291,8 @@ public class CustomOAuthDataProvider imp
// other methods are not shown
}
]]></script>
-</div></div>
-
-<p>One can expect the following response:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-Response-Code: 200
+</div></div><p>One can expect the following response:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[Response-Code: 200
Content-Type: application/json
Headers: {
Cache-Control=[no-store],
@@ -522,17 +304,8 @@ Payload:
{"access_token":"5b5c8e677413277c4bb8b740d522b378", "token_type":"mac", "mac_key"="1234568", "mac_algorithm"="hmac-sha-1"}
]]></script>
-</div></div>
-
-<p>Note that 'access_token' is the MAC key identifier.</p>
-
-<p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/MacAccessTokenValidator.java">MacAccessTokenValidator</a> has to be registered with OAuthRequestFilter for validating the incoming MAC tokens. This validator can get a reference to custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceVerifier.java">NonceVerifier</a> with CXF possibly shipping a default implementation in the future.</p>
-
-<p>The client can use CXF OAuthClientUtils to create Authorization MAC headers. All is needed is to provide references to ClientAccessToken representing the MAC token issued by AccessTokenService and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/HttpRequestProperties.java">HttpRequestProperties</a> capturing the information about the current request URI:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-String requestURI = "http://localhost:8080/calendar";
+</div></div><p>Note that 'access_token' is the MAC key identifier.</p><p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/MacAccessTokenValidator.java">MacAccessTokenValidator</a> has to be registered with OAuthRequestFilter for validating the incoming MAC tokens. This validator can get a reference to custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceVerifier.java">NonceVerifier</a> with CXF possibly shipping a default implementation in the future.</p><p>The client can use CXF OAuthClientUtils to create Authorization MAC headers. All is needed is to provide references to ClientAccessToken representing the MAC token issued by AccessTokenService and <a shape="rect" class="external-link" href="http://svn.apache.org/re
pos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/HttpRequestProperties.java">HttpRequestProperties</a> capturing the information about the current request URI:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[String requestURI = "http://localhost:8080/calendar";
WebClient wc = WebClient.create(requestURI);
// represents client registration
@@ -546,13 +319,8 @@ wc.header("Authorization", aut
Calendar calendar = wc.get(Calendar.class);
]]></script>
-</div></div>
-
-<p>This code will result in something like:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
-GET /calendar HTTP/1.1
+</div></div><p>This code will result in something like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[GET /calendar HTTP/1.1
Host: localhost
Accept: application/xml
Authorization: MAC id="5b5c8e677413277c4bb8b740d522b378",
@@ -560,140 +328,16 @@ Authorization: MAC id="5b5c8e677413
mac="W7bdMZbv9UWOTadASIQHagZyirA="
ts="12345678"
]]></script>
-</div></div>
-
-<p>where 'ts' attribute is used to pass a timestamp value.</p>
-
-<h4 id="JAX-RSOAuth2-CustomandEncryptedtokens">Custom and Encrypted tokens</h4>
-
-<p>If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.common.ServerAccessToken. </p>
-
-<p>CXF implementations of Bearer and Access token types can also be extended if required. For example, typically the access token data will be persisted in the database. One possible option is to experiment with actually encrypting the state of the token within the token id itself and returning it to the client and then decrypting it when OAuthDataProvider is requested to get ServerAccessToken representation of the current token identifier.</p>
-
-<p>The cost of encrypting and decrypting will add up to the processing time - however the provider will not be actually responsible for storing the access token details which can start making a difference with a high number of clients.</p>
-
-<h4 id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and Audience</h4>
-
-<p>Starting from CXF 2.7.7 an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00" rel="nofollow">audience</a> parameter is supported during the client token requests.</p>
-
-
-<h3 id="JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService </h3>
-<p>The <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a> is a CXF specific OAuth2 service for accepting the remote access token validation requests. Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party client and will ask AccessTokenValidationService to return the information relevant to the current access token, before setting up a security context. More on it below.</p>
-
-<h2 id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2>
-
-<p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java">TokenRevocationService</a> is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh tokens they own themselves, please see <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09" rel="nofollow">OAuth2 Token Revocation Draft</a> for more information.</p>
-
-<p>TokenRevocationService and AccessTokenService share the same code which enforces that the clients have been correctly authenticated.</p>
-
-<p>Note, OAuthDataProvider implementations processing a revocation request should simply ignore the invalid tokens as recommended by the specification which will let TokenRevocationService return HTTP 200 which is done to minimize a possible attack surface (specifically for bad clients not to see if their requests failed or succeeded) and throw the exceptions only if the token revocation feature is not currently supported.</p>
-
-
-<h2 id="JAX-RSOAuth2-SupportedGrants">Supported Grants</h2>
-
-<p>The following subsections briefly describe how the well-known grant types can be supported on the server side. Please also check the "Client Side Support" section on how to use the related <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java">AccessTokenGrant</a> implementations to request the access tokens.</p>
-
-<h3 id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3>
-
-<p>As described above, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a> service and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a> data provider can support a redirection-based Authorization Code flow. </p>
-
-<p>The code that the client receives in the end of the redirection process will need to be exchanged for a new access token with AccessTokenService. CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a> bean to request a new access token with OAuthClientUtils.</p>
-
-
-<h3 id="JAX-RSOAuth2-Implicit">Implicit</h3>
-
-<p>Implicit grant is supported the same way Authorization Code grant is except that the response to the client running within a web browser is formatted differently, using URI fragments. </p>
-
-<p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a> service and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a> data provider can support a redirection-based Implicit flow. </p>
-
-<p>Note the only difference is the use of ImplicitGrantService instead of AuthorizationCodeGrantService.</p>
-
-<p>Also note that when an Implicit grant client (running within a browser) replaces the code grant for a new access token and tries to access the end user's resource, Cross Origin Resource Sharing (CORS) support will most likely need to be enabled on the end user's resource server.<br clear="none">
-The simplest approach is to register a CXF <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-cors.html">CORS filter</a>, right before OAuth2 filter (see on it below).</p>
-
-<p>Starting from CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered Client id to the browser-hosted client. This is recommended so that the client can verify that the token is meant to be delivered to this client. </p>
-
-<h3 id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3>
-
-<p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java">ClientCredentialsGrantHandler</a> handler with AccessTokenService for this grant be supported.</p>
-
-<p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java">ClientCredentialsGrant</a> bean to request a new access token with OAuthClientUtils.</p>
-
-
-<h3 id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</h3>
-
-<p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java">ResourceOwnerGrantHandler</a> handler with AccessTokenService for this grant be supported.</p>
-
-<p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java">ResourceOwnerGrant</a> bean to request a new access token with OAuthClientUtils.</p>
-
-
-<h3 id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3>
-
-<p>The client can issue a refresh token grant if the current access token it owns has expired or been revoked and the refresh token was issued alongside with the access token which is now invalid and get the new, 'refreshed' access token. This can allow the client to avoid seeking a new authorization approval from the end user.</p>
-
-<p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java">RefreshTokenGrantHandler</a> handler with AccessTokenService for this grant be supported. Note this grant handler is only useful for refreshing the existing access token, so one or more of the other grant handlers (Authorization Code, Implicit, etc) will also have to be registered with AccessTokenService.</p>
-
-<p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrant.java">RefreshTokenGrant</a> bean to request a new access token with OAuthClientUtils.</p>
-
-<h3 id="JAX-RSOAuth2-Assertions">Assertions</h3>
-
-<p>SAML2 Bearer and JWT assertions can be used as token grants. </p>
-
-<p>Please see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for more information.</p>
-
-
-<h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3>
-
-<p>If you need to customize the way the well-known grant requests are handled then consider extending one of the grant handlers listed in the previous sub-sections. </p>
-
-<p>Alternatively create a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java">AccessTokenGrantHandler</a> and register it with AccessTokenService. Additionally, consider providing a related <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java">AccessTokenGrant</a> implementation for making it easy for the client code to request a new access token with this custom grant. </p>
-
-<h2 id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens </h2>
-
-<p>When working with the flows which require the end users/resource owners explicitly authorizing clients (for example, as in the case of redirection-based flows), using pre-authorized access tokens is one option to minimize the need for the end-user intervention. <br clear="none">
-OAuthDataProvider is always checked first if the pre-authorized access token for a given Client exists and if yes then it will be returned immediately, without starting the authorization process involving the end user (as required by some flows).</p>
-
-<p>Consider providing a user interface which will let the end users/resource owners to pre-authorize specific clients early. Note, a CXF service for supporting the users pre-authorizing the clients or revoking the tokens for some of the clients may be introduced in the future. </p>
-
-<p>Also note that using a refresh token grant may further help with minimizing the end user involvement, in cases when the current access token has expired.</p>
-
-<h2 id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</h2>
-
-<p>Clients can register custom scopes they will be expected to use and then avoid specifying the scopes when requesting the code grants or access tokens.<br clear="none">
-Alternatively it makes it easier to support so called wild-card scopes. For example, a client pre-registers a scope "update" and actually uses an "update-7" scope: Redirection-based services and access token grants can be configured to do a partial scope match, in this case, validate that "update-7" starts from "update"</p>
-
-<h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</h2>
-
-<p>Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a> implementation.</p>
-
-<p>The main task of OAuthDataProvider is to persist and generate access tokens. Additionally, as noted above, AuthorizationCodeDataProvider needs to persist and remove the code grant registrations. The way it's done is really application-specific. Consider starting with a basic memory based implementation and then move on to keeping the data in some DB.</p>
-
-<p>Note that OAuthDataProvider supports retrieving <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a> instances but it has no methods for creating or removing Clients. The reason for it is that the process of registering third-party clients is very specific to a particular OAuth2 application, so CXF does not offer a registration support service and hence OAuthDataProvider has no Client create/update methods. You will likely need to do something like this:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-public class CustomOAuthProvider implements OAuthDataProvider {
[... 348 lines stripped ...]
Modified: websites/production/cxf/content/docs/jax-rs-redirection.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-redirection.html (original)
+++ websites/production/cxf/content/docs/jax-rs-redirection.html Thu Dec 19 16:43:08 2013
@@ -34,6 +34,7 @@
<script src='/resources/highlighter/scripts/shCore.js'></script>
<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
+<script src='/resources/highlighter/scripts/shBrushPlain.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -99,13 +100,7 @@ Apache CXF -- JAX-RS Redirection
<div id="wrapper-menu-page-bottom">
<div id="menu-page">
<!-- NavigationBar -->
-<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape
="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul>
-
-
-<hr>
-<ul class="alternate"><li>Search<br clear="none">
-
-<form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
+<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape
="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
<div>
<input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
<input type="hidden" name="ie" value="UTF-8">
@@ -113,13 +108,7 @@ Apache CXF -- JAX-RS Redirection
<input type="submit" name="sa" value="Search">
</div>
</form>
-<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script>
-</li></ul>
-
-
-<hr>
-<ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul>
-</div>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&lang=en"></script><hr><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul></div>
<!-- NavigationBar -->
</div>
</div>
@@ -132,11 +121,11 @@ Apache CXF -- JAX-RS Redirection
<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold"> JAX-RS : Redirection </span></p><p></p>
<style type="text/css">/*<![CDATA[*/
-div.rbtoc1387228369456 {padding: 0px;}
-div.rbtoc1387228369456 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1387228369456 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1387471164634 {padding: 0px;}
+div.rbtoc1387471164634 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1387471164634 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style><div class="toc-macro rbtoc1387228369456">
+/*]]>*/</style><div class="toc-macro rbtoc1387471164634">
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSRedirection-WithRequestDispatcherProvider">With RequestDispatcherProvider</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSRedirection-Loggingredirects">Logging redirects</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSRedirection-WithCXFServlet">With CXFServlet</a></li><li><a shape="rect" href="#JAX-RSRedirection-CustomRedirection">Custom Redirection</a></li></ul>