You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by vishwanath <ak...@gmail.com> on 2019/07/28 07:43:42 UTC

Fediz OIDC

Dear All,

I need your guidance, currently our organization using  CXF STS and Fediz
IDP I want to implement Fediz OIDC flow also for Angular applications I
have below questions request you to clarify

1) I am able to test Authorization code work flow and implicit flow. But I
want to implement oauth PKCE flow I received  authorization code from first
step  but
second step still expecting client_secret with code_verifier but as per
oauth standard client_secret is not required for pkce right ? also how to
implement DigestCodeVerifier(RS256) instead of PlainCodeVerifier

https://localhost:8443/oidc/idp/authorize?client_id=cQtfnlT6xwc4xQ&response_type=code&scope=openid&redirect_uri=https://localhost:8080/test&state=state-8600b31f-52d1-4dca-987c-386e3d8967e9&code_challenge_method=S256&code_challenge=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU&audience=https://zsoasec-racf.ch.zurich.com/zsoaidp-oidc/

2)  Today ID token is JWT token which token we should use to call Rest call
access token or ID token ?

3) JWT token generated by OIDC  contains claims  audience(aud) by default
assigned value client id any specific reason ?

Regards
Kashi

Re: Fediz OIDC

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi,

Responses inline below.

On Sun, Jul 28, 2019 at 8:46 AM vishwanath <ak...@gmail.com> wrote:

>
> 1) I am able to test Authorization code work flow and implicit flow. But I
> want to implement oauth PKCE flow I received  authorization code from first
> step  but
> second step still expecting client_secret with code_verifier but as per
> oauth standard client_secret is not required for pkce right ? also how to
> implement DigestCodeVerifier(RS256) instead of PlainCodeVerifier
>
>
> https://localhost:8443/oidc/idp/authorize?client_id=cQtfnlT6xwc4xQ&response_type=code&scope=openid&redirect_uri=https://localhost:8080/test&state=state-8600b31f-52d1-4dca-987c-386e3d8967e9&code_challenge_method=S256&code_challenge=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU&audience=https://zsoasec-racf.ch.zurich.com/zsoaidp-oidc/
>

I think this is just a matter of how you are setting up the service. See
for a system test that puts the AccesTokenService on a separate endpoint
with no authentication requirements for public clients:

https://github.com/apache/cxf/blob/563b1ec1f5b2186003843d5e686cc764efa00bb3/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml#L131

To implement the DigestCodeVerifier you need to inject it into the
AuthorizationCodeGrantHandler, see here:

https://github.com/apache/cxf/blob/563b1ec1f5b2186003843d5e686cc764efa00bb3/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml#L148


> 2)  Today ID token is JWT token which token we should use to call Rest call
> access token or ID token ?
>

Access Token. ID Token is only meant for the client.


>
> 3) JWT token generated by OIDC  contains claims  audience(aud) by default
> assigned value client id any specific reason ?
>

Yes, the IdToken is targeted at the client.

Colm.


>
> Regards
> Kashi
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com