You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by vishwanath <ak...@gmail.com> on 2019/07/28 07:43:42 UTC
Fediz OIDC
Dear All,
I need your guidance, currently our organization using CXF STS and Fediz
IDP I want to implement Fediz OIDC flow also for Angular applications I
have below questions request you to clarify
1) I am able to test Authorization code work flow and implicit flow. But I
want to implement oauth PKCE flow I received authorization code from first
step but
second step still expecting client_secret with code_verifier but as per
oauth standard client_secret is not required for pkce right ? also how to
implement DigestCodeVerifier(RS256) instead of PlainCodeVerifier
https://localhost:8443/oidc/idp/authorize?client_id=cQtfnlT6xwc4xQ&response_type=code&scope=openid&redirect_uri=https://localhost:8080/test&state=state-8600b31f-52d1-4dca-987c-386e3d8967e9&code_challenge_method=S256&code_challenge=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU&audience=https://zsoasec-racf.ch.zurich.com/zsoaidp-oidc/
2) Today ID token is JWT token which token we should use to call Rest call
access token or ID token ?
3) JWT token generated by OIDC contains claims audience(aud) by default
assigned value client id any specific reason ?
Regards
Kashi
Re: Fediz OIDC
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
Responses inline below.
On Sun, Jul 28, 2019 at 8:46 AM vishwanath <ak...@gmail.com> wrote:
>
> 1) I am able to test Authorization code work flow and implicit flow. But I
> want to implement oauth PKCE flow I received authorization code from first
> step but
> second step still expecting client_secret with code_verifier but as per
> oauth standard client_secret is not required for pkce right ? also how to
> implement DigestCodeVerifier(RS256) instead of PlainCodeVerifier
>
>
> https://localhost:8443/oidc/idp/authorize?client_id=cQtfnlT6xwc4xQ&response_type=code&scope=openid&redirect_uri=https://localhost:8080/test&state=state-8600b31f-52d1-4dca-987c-386e3d8967e9&code_challenge_method=S256&code_challenge=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU&audience=https://zsoasec-racf.ch.zurich.com/zsoaidp-oidc/
>
I think this is just a matter of how you are setting up the service. See
for a system test that puts the AccesTokenService on a separate endpoint
with no authentication requirements for public clients:
https://github.com/apache/cxf/blob/563b1ec1f5b2186003843d5e686cc764efa00bb3/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml#L131
To implement the DigestCodeVerifier you need to inject it into the
AuthorizationCodeGrantHandler, see here:
https://github.com/apache/cxf/blob/563b1ec1f5b2186003843d5e686cc764efa00bb3/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml#L148
> 2) Today ID token is JWT token which token we should use to call Rest call
> access token or ID token ?
>
Access Token. ID Token is only meant for the client.
>
> 3) JWT token generated by OIDC contains claims audience(aud) by default
> assigned value client id any specific reason ?
>
Yes, the IdToken is targeted at the client.
Colm.
>
> Regards
> Kashi
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com