You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Sergey Beryozkin <sb...@gmail.com> on 2012/04/16 12:55:00 UTC

Re: [jira] [Resolved] (CXF-4051) Custom OAuth scopes are not supported

Hi, redirecting to the users list,

On 16/04/12 11:01, jordi wrote:
> Hi Sergey,
> I'm sorry but I'm unable to find the class/jar you told me.
>
> I've checked out CXF sources from its SVN and the "Apache CXF Runtime OAuth
> 1.0a" module has the following dependency:
>
>          <dependency>
>              <groupId>net.oauth.core</groupId>
>              <artifactId>oauth-provider</artifactId>
>              <version>${oauth.version}</version>
>          </dependency>
>
> After building the corresponding project, some jars are placed in my maven
> repository: oauth-20100527.jar, oauth-consumer-20100527.jar,
> oauth-provider-20100527.jar
>
> Using this files to resolve my project oauth dependencies has the same wrong
> behavior I described before :-( Could you help me to locate the correct jar
> file?
I'm not sure where do you get oauth-consumer-20100527.jar from, I'm not 
seeing it in the list of project dependencies, only oauth-20100527.jar & 
oauth-provider-20100527.jar.
FYI, net/oauth/OAuthConsumer is available in oauth-20100527.jar

Cheers, Sergey
>
> Thank you very much for your time and help,
> Jordi
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/jira-Created-CXF-4051-Custom-OAuth-scopes-are-not-supported-tp5164840p5643403.html
> Sent from the cxf-issues mailing list archive at Nabble.com.


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Re: [jira] [Resolved] (CXF-4051) Custom OAuth scopes are not supported

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi Jordi

Actually, you right, those extra parameters are not treated correctly
in 2.5.2, I just checked the source.
The code I was referring to would work OK with 2.5.3 (due in a few
days), just make sure 'scope' is used, you should be able to confirm
it with 2.5.3-SNAPSHOT or check the release vote thread, and use the
tagged 2.5.3

Cheers, Sergey

On Mon, Apr 16, 2012 at 3:15 PM, Sergey Beryozkin <sb...@gmail.com> wrote:
> On 16/04/12 14:29, jordi wrote:
>>
>> Hi Sergey,
>> ok, I totally agree what you suggest about URIs, thanks a lot.
>>
>> Please correct if I'm wrong: as I'm working with OAuth 1.0, I won't be
>> able
>> to send any scopes information inside the token request.
>
> As I demonstrated in the code example posted in the previous email it is
> possible with the CXF OAuth 1.0 module
>>
>> To workaround this
>> I can migrate my project to OAuth 2.0 in order to use the new standard
>> "scope" header, ok?
>
> If you do not have any specific reasons to work with OAuth 1.0 then I think
> starting with 2.0 will be a good idea
>
> Cheers, Sergey
>>
>>
>> Cheers,
>> Jordi
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/Re-jira-Resolved-CXF-4051-Custom-OAuth-scopes-are-not-supported-tp5643475p5643806.html
>>
>> Sent from the cxf-user mailing list archive at Nabble.com.



-- 
Sergey Beryozkin

http://sberyozkin.blogspot.com
Talend - http://www.talend.com

Re: [jira] [Resolved] (CXF-4051) Custom OAuth scopes are not supported

Posted by Sergey Beryozkin <sb...@gmail.com>.

On 16/04/12 14:29, jordi wrote:
> Hi Sergey,
> ok, I totally agree what you suggest about URIs, thanks a lot.
>
> Please correct if I'm wrong: as I'm working with OAuth 1.0, I won't be able
> to send any scopes information inside the token request.
As I demonstrated in the code example posted in the previous email it is 
possible with the CXF OAuth 1.0 module
> To workaround this
> I can migrate my project to OAuth 2.0 in order to use the new standard
> "scope" header, ok?
If you do not have any specific reasons to work with OAuth 1.0 then I 
think starting with 2.0 will be a good idea

Cheers, Sergey
>
> Cheers,
> Jordi
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Re-jira-Resolved-CXF-4051-Custom-OAuth-scopes-are-not-supported-tp5643475p5643806.html
> Sent from the cxf-user mailing list archive at Nabble.com.

Re: [jira] [Resolved] (CXF-4051) Custom OAuth scopes are not supported

Posted by jordi <jo...@hotmail.com>.

Hi Sergey,
ok, I totally agree what you suggest about URIs, thanks a lot.

Please correct if I'm wrong: as I'm working with OAuth 1.0, I won't be able
to send any scopes information inside the token request. To workaround this
I can migrate my project to OAuth 2.0 in order to use the new standard
"scope" header, ok?

Cheers,
Jordi

--
View this message in context: http://cxf.547215.n5.nabble.com/Re-jira-Resolved-CXF-4051-Custom-OAuth-scopes-are-not-supported-tp5643475p5643806.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: [jira] [Resolved] (CXF-4051) Custom OAuth scopes are not supported

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi Jordi
On 16/04/12 13:52, jordi wrote:
> Hi Sergey,
> As I detailed in the first post, if I use *oauth-20100527.jar* and
> cxf-rt-rs-security-oauth-2.5.2.jar to run a OAuth web client that looks
> like:
>
> 	WebClient rts =
> WebClient.create("http://localhost:8080/services/oauth/initiate");
> 	rts.accept("application/x-www-form-urlencoded;q=0.9,*/*;q=0.8");
> 	Consumer consumer = new Consumer(aConsumerKey, aSecretKey);
> 	URI callback = new URI("http://localhost:8080/dummyclient/callback");
> 			
> 	// CXF extra parameters
> 	Map<String, String>  extra = new HashMap<String, String>();
> 	extra.put("x_oauth_uri", "business/listdocs");
> 	extra.put("x_oauth_scope", "read_profile");
> 	extra.put("state", "intercepted");
> 			
> 	*Token requestToken = OAuthClientUtils.getRequestToken(rts, consumer,
> callback, extra);*
>
> I receive an error message from the server side (OAuth server), informing
> about an error during signature verification. I've found x_oauth_uri,
> x_oauth_scope, and state headers are used in client side to compute the
> oauth signature but unfortunately they are not sent to the server.
>

This is the code that works for me in the OAuth 1.0 demo:

public Token getRequestToken(URI callback, ReservationRequest request) {
	        Map<String, String> extraParams = new HashMap<String, String>();
	 
extraParams.put(org.apache.cxf.rs.security.oauth.utils.OAuthConstants.X_OAUTH_SCOPE, 

	                        OAuthConstants.UPDATE_CALENDAR_SCOPE + 
request.getHour());
	
	        return OAuthClientUtils.getRequestToken(requestTokenService, 
consumer, callback, extraParams);
	
	}

Note, the actual X_OAUTH_SCOPE value has been changed internally to 
'scope', for it to match the value of the standard OAuth2 parameter.

x_oauth_uri has been dropped altogether, this restriction can be still 
enforced on the server side, but I thought it was not something Client 
needed to worry about, it knows the URI of the protected resource, which 
is enough, the server can still extra-protect from this URI getting some 
child subresources when applicable, etc

Cheers, Sergey


> Thank you very much, cheers
> Jordi
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Re-jira-Resolved-CXF-4051-Custom-OAuth-scopes-are-not-supported-tp5643475p5643702.html
> Sent from the cxf-user mailing list archive at Nabble.com.


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Re: [jira] [Resolved] (CXF-4051) Custom OAuth scopes are not supported

Posted by jordi <jo...@hotmail.com>.

Hi Sergey,
As I detailed in the first post, if I use *oauth-20100527.jar* and
cxf-rt-rs-security-oauth-2.5.2.jar to run a OAuth web client that looks
like:

	WebClient rts =
WebClient.create("http://localhost:8080/services/oauth/initiate");
	rts.accept("application/x-www-form-urlencoded;q=0.9,*/*;q=0.8");
	Consumer consumer = new Consumer(aConsumerKey, aSecretKey);
	URI callback = new URI("http://localhost:8080/dummyclient/callback");
			
	// CXF extra parameters
	Map<String, String> extra = new HashMap<String, String>();
	extra.put("x_oauth_uri", "business/listdocs");
	extra.put("x_oauth_scope", "read_profile");
	extra.put("state", "intercepted");
			
	*Token requestToken = OAuthClientUtils.getRequestToken(rts, consumer,
callback, extra);*

I receive an error message from the server side (OAuth server), informing
about an error during signature verification. I've found x_oauth_uri,
x_oauth_scope, and state headers are used in client side to compute the
oauth signature but unfortunately they are not sent to the server.

Thank you very much, cheers
Jordi

--
View this message in context: http://cxf.547215.n5.nabble.com/Re-jira-Resolved-CXF-4051-Custom-OAuth-scopes-are-not-supported-tp5643475p5643702.html
Sent from the cxf-user mailing list archive at Nabble.com.