You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Rajan1311 <ra...@gmail.com> on 2016/02/19 05:24:42 UTC
Support both Bearer and JWT tokens
Hi,
I am still pretty new at this, so might have not understood this correctly.
I am trying to protect my API via ouath. I basically need 2 types of flow,
one is a client credentials, where a client can dynamically register and
then access their resources. For this, I have followed the documentation and
have successfully implemented the same. I am using a bearer token for this.
Next I would need a JWT which my clients would generate and then use them. I
have created an SDK which is used by my clients to create JWTs. Based on the
information within the JWT, the bearer of this token can get access to the
clients resource.
So, I need to support 2 types of tokens - Bearer and JWT tokens. I did a
little bit of searching but was left confused. I tried using the
org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter (registered it
as a filter in the service I want to protect), which checks for the validity
of the JWT token, but it would block requests made with the bearer token. I
am not sure how to proceed from here. Should I create a custom token
validator for my OAuth filter ?
Thanks
Rajan
--
View this message in context: http://cxf.547215.n5.nabble.com/Support-both-Bearer-and-JWT-tokens-tp5766050.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Support both Bearer and JWT tokens
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 23/02/16 10:27, Sergey Beryozkin wrote:
> Hi
> On 23/02/16 07:24, Rajan1311 wrote:
>> Hi Sergey,
>>
>> I think I have understood what you mean, so the JWT has nothing to do
>> with
>> the OAuth flows.
>>
> I did not quite imply that JWT was not related to OAuth flows, rather I
> said the JWTAuthenticationFilter you were thinking of using was not
> related.
Or to be more precise, it can be used as a filter for authenticating the
OAuth2 clients but only when these clients use JWT for a pure
authentication when accessing OAuth2 AccessTokenService, example, when
using a client credentials or authorization code grant...
Sergey
>
>> In my case though, when a client server needs access to my API, he
>> does so
>> with the access token obtained via the client credentials grant. Each
>> token
>> (default bearer type) has registered scopes which govern the parts of the
>> API the client can access. According to the documentation, its the
>> OAuthRequestFilter and OAuthScopesFilter that make this restriction
>> happen.
>> I am using the @Scopes annotation my controllers.
>>
> Sure, you might also want to consider using OAuthRequestFilter only with
> the requiredScopes property set, unless you'd like to enforce the scopes
> declaratively on per-method level
>> Now, the Client can also make requests with a JWT(issued by the client's
>> server). The client signs the JWT with their client secret and sends
>> me (API
>> server) the JWT along with the client id (so that I can verify it with
>> the
>> corresponding secret). The JWT claims has a list of scopes along with
>> some
>> other identification info.
>>
>> This is where I need some sort of convergence between the 2 flows. Once I
>> have the scopes, I want to process them in such a way that I use the
>> scopes
>> in the access token (via client credentials).
>>
>> So, for this to happen, I think I would need some sort of modification
>> in my
>> OAuthRequestFilter, which would also accept JWT tokens, validate them and
>> extract the scopes. Then, it should work seamlessly work with the
>> OAuthScopesFilter.
>>
>> I hope you understood what I mean. I am very new to this, so would be
>> great
>> if you could just point me in the right direction. I am thinking of
>> implementing a custom Filter to replace the OAuthRequestFilter, but I
>> am not
>> too sure on how to proceed.
>
> Hmm, well, the client gets the access token from OAuth2 Access Token
> Service, and then the client uses this token to access some users' API
> server.
> But what you are describing is that the client creates a JWT token
> itself (may be it gets this token from STS such as CXF STS that can
> issue JWT assertions), sets a client id on it and then wants to use it
> as an access token ?
>
> if so then I don't think it is possible, all the client has is a set of
> JWT claims representing the fact of the successful client authentication
> with STS/etc, and by adding a client id to such claims does not turn
> them into an access token, but the client can use them to claim a new
> access token and then use it.
>
> Cheers, Sergey
>
>
>
>
>>
>>
>> Thanks and Regards,
>>
>> Rajan
>>
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/Support-both-Bearer-and-JWT-tokens-tp5766050p5766172.html
>>
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Re: Support both Bearer and JWT tokens
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 23/02/16 07:24, Rajan1311 wrote:
> Hi Sergey,
>
> I think I have understood what you mean, so the JWT has nothing to do with
> the OAuth flows.
>
I did not quite imply that JWT was not related to OAuth flows, rather I
said the JWTAuthenticationFilter you were thinking of using was not related.
> In my case though, when a client server needs access to my API, he does so
> with the access token obtained via the client credentials grant. Each token
> (default bearer type) has registered scopes which govern the parts of the
> API the client can access. According to the documentation, its the
> OAuthRequestFilter and OAuthScopesFilter that make this restriction happen.
> I am using the @Scopes annotation my controllers.
>
Sure, you might also want to consider using OAuthRequestFilter only with
the requiredScopes property set, unless you'd like to enforce the scopes
declaratively on per-method level
> Now, the Client can also make requests with a JWT(issued by the client's
> server). The client signs the JWT with their client secret and sends me (API
> server) the JWT along with the client id (so that I can verify it with the
> corresponding secret). The JWT claims has a list of scopes along with some
> other identification info.
>
> This is where I need some sort of convergence between the 2 flows. Once I
> have the scopes, I want to process them in such a way that I use the scopes
> in the access token (via client credentials).
>
> So, for this to happen, I think I would need some sort of modification in my
> OAuthRequestFilter, which would also accept JWT tokens, validate them and
> extract the scopes. Then, it should work seamlessly work with the
> OAuthScopesFilter.
>
> I hope you understood what I mean. I am very new to this, so would be great
> if you could just point me in the right direction. I am thinking of
> implementing a custom Filter to replace the OAuthRequestFilter, but I am not
> too sure on how to proceed.
Hmm, well, the client gets the access token from OAuth2 Access Token
Service, and then the client uses this token to access some users' API
server.
But what you are describing is that the client creates a JWT token
itself (may be it gets this token from STS such as CXF STS that can
issue JWT assertions), sets a client id on it and then wants to use it
as an access token ?
if so then I don't think it is possible, all the client has is a set of
JWT claims representing the fact of the successful client authentication
with STS/etc, and by adding a client id to such claims does not turn
them into an access token, but the client can use them to claim a new
access token and then use it.
Cheers, Sergey
>
>
> Thanks and Regards,
>
> Rajan
>
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Support-both-Bearer-and-JWT-tokens-tp5766050p5766172.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: Support both Bearer and JWT tokens
Posted by Rajan1311 <ra...@gmail.com>.
Hi Sergey,
I think I have understood what you mean, so the JWT has nothing to do with
the OAuth flows.
In my case though, when a client server needs access to my API, he does so
with the access token obtained via the client credentials grant. Each token
(default bearer type) has registered scopes which govern the parts of the
API the client can access. According to the documentation, its the
OAuthRequestFilter and OAuthScopesFilter that make this restriction happen.
I am using the @Scopes annotation my controllers.
Now, the Client can also make requests with a JWT(issued by the client's
server). The client signs the JWT with their client secret and sends me (API
server) the JWT along with the client id (so that I can verify it with the
corresponding secret). The JWT claims has a list of scopes along with some
other identification info.
This is where I need some sort of convergence between the 2 flows. Once I
have the scopes, I want to process them in such a way that I use the scopes
in the access token (via client credentials).
So, for this to happen, I think I would need some sort of modification in my
OAuthRequestFilter, which would also accept JWT tokens, validate them and
extract the scopes. Then, it should work seamlessly work with the
OAuthScopesFilter.
I hope you understood what I mean. I am very new to this, so would be great
if you could just point me in the right direction. I am thinking of
implementing a custom Filter to replace the OAuthRequestFilter, but I am not
too sure on how to proceed.
Thanks and Regards,
Rajan
--
View this message in context: http://cxf.547215.n5.nabble.com/Support-both-Bearer-and-JWT-tokens-tp5766050p5766172.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Support both Bearer and JWT tokens
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
Thanks for experimenting with the JWT authentication filter, but it is
not exactly tailored for the use in OAuth2 flows, let me clarify.
JWT (claims) is one way to have a given access token represented
*internally*. An access token can be a DB pointer to some custom table,
or may be an encrypted set of JWT claims. It is still a Bearer token
though.
Of course, other types of tokens are possible, such as PoP tokens which
have been standardized recently, in CXF we currently support Hawk
schemes, but even in those schemes it can be JWT claims that are used
internally.
So, speaking of the access tokens, they are typically Bearer (or
PoP/etc) access tokens, whether JWT claims are used to represent them or
not is somewhat orthogonal.
We have some code in place though to support JWT assertions which
represent a given client's authentication credentials and can be used,
but these JWT assertions are not the tokens, the end result there is
that the OAuth2 server will still return a Bearer/PoP/etc token
http://cxf.apache.org/docs/jaxrs-oauth2-assertions.html
JwtAuthenticationFilter is meant to be used in regular client server
communications, the JWT scheme there is not related to OAuth2 flows, for
example, the client obtains a JWT assertion, and uses it to
authenticate, and may be also link it to the JWS/JWE secured payload...
Does it help ?
Sergey
On 19/02/16 04:24, Rajan1311 wrote:
> Hi,
>
> I am still pretty new at this, so might have not understood this correctly.
> I am trying to protect my API via ouath. I basically need 2 types of flow,
> one is a client credentials, where a client can dynamically register and
> then access their resources. For this, I have followed the documentation and
> have successfully implemented the same. I am using a bearer token for this.
>
> Next I would need a JWT which my clients would generate and then use them. I
> have created an SDK which is used by my clients to create JWTs. Based on the
> information within the JWT, the bearer of this token can get access to the
> clients resource.
>
> So, I need to support 2 types of tokens - Bearer and JWT tokens. I did a
> little bit of searching but was left confused. I tried using the
> org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter (registered it
> as a filter in the service I want to protect), which checks for the validity
> of the JWT token, but it would block requests made with the bearer token. I
> am not sure how to proceed from here. Should I create a custom token
> validator for my OAuth filter ?
>
> Thanks
>
> Rajan
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Support-both-Bearer-and-JWT-tokens-tp5766050.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/