You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Peter De Winter <pe...@icloud.com> on 2014/12/18 17:22:03 UTC

Implicit flow Question

Hello all,

Short question on the implicit flow with jax-rs.
The redirect url with the fragment contains an access_token attribute.
Contains a access-token but no secret. 
So how do you get by the HawkTokenValidator if you have no secret to generate the correct Mac (sha-256) on the client agent?

Thanks for any help!
Peter DW

Re: Implicit flow Question

Posted by Mijathi bvba <pe...@icloud.com>.

Yes, it does now. A lot even!

Thank you for your help!

> Op 18-dec.-2014 om 18:03 heeft Sergey Beryozkin <sb...@gmail.com> het volgende geschreven:
> 
>> On 18/12/14 16:42, Mijathi bvba wrote:
>> 
>> So how do we set-up the authorization header on a request to a resource knowing the OAuthRequestFilter will check the request may pass? Is it still Hawk authorization?
> Hawk tokens or OAuth2 PoP tokens (the work in progress) can not be used with ImplicitFlow clients so OAuth2RequestFilter can not use Hawk/PoP validators against such clients.
> I'm not 100% sure now it won't change for PoP tokens as implicit clients might be able to use WebCrypto API to sign with their bank's public keys, etc, but this is too early to contemplate
> 
> As far the authorization of the implicit flow clients to the filter is concerned, it is "Bearer mytoken"; ot some other custom token type if preferred
> 
> Does it help ?
> 
> Cheers, Sergey
>>> Op 18-dec.-2014 om 17:35 heeft Sergey Beryozkin <sb...@gmail.com> het volgende geschreven:
>>> 
>>> Hi Peter
>>>> On 18/12/14 16:22, Peter De Winter wrote:
>>>> Hello all,
>>>> 
>>>> Short question on the implicit flow with jax-rs.
>>>> The redirect url with the fragment contains an access_token attribute.
>>>> Contains a access-token but no secret.
>>>> So how do you get by the HawkTokenValidator if you have no secret to generate the correct Mac (sha-256) on the client agent?
>>> I don't think it is possible. Implicit Grant clients qualify as public clients, can not keep the secrets, including a secret mac key.
>>> 
>>> Cheers, Sergey
>>> 
>>>> Thanks for any help!
>>>> Peter DW
> 
> 
> -- 
> Sergey Beryozkin
> 
> Talend Community Coders
> http://coders.talend.com/
> 
> Blog: http://sberyozkin.blogspot.com

Re: Implicit flow Question

Posted by Sergey Beryozkin <sb...@gmail.com>.

On 18/12/14 16:42, Mijathi bvba wrote:
>
> So how do we set-up the authorization header on a request to a resource knowing the OAuthRequestFilter will check the request may pass? Is it still Hawk authorization?
>
Hawk tokens or OAuth2 PoP tokens (the work in progress) can not be used 
with ImplicitFlow clients so OAuth2RequestFilter can not use Hawk/PoP 
validators against such clients.
I'm not 100% sure now it won't change for PoP tokens as implicit clients 
might be able to use WebCrypto API to sign with their bank's public 
keys, etc, but this is too early to contemplate

As far the authorization of the implicit flow clients to the filter is 
concerned, it is "Bearer mytoken"; ot some other custom token type if 
preferred

Does it help ?

Cheers, Sergey
>> Op 18-dec.-2014 om 17:35 heeft Sergey Beryozkin <sb...@gmail.com> het volgende geschreven:
>>
>> Hi Peter
>>> On 18/12/14 16:22, Peter De Winter wrote:
>>> Hello all,
>>>
>>> Short question on the implicit flow with jax-rs.
>>> The redirect url with the fragment contains an access_token attribute.
>>> Contains a access-token but no secret.
>>> So how do you get by the HawkTokenValidator if you have no secret to generate the correct Mac (sha-256) on the client agent?
>> I don't think it is possible. Implicit Grant clients qualify as public clients, can not keep the secrets, including a secret mac key.
>>
>> Cheers, Sergey
>>
>>> Thanks for any help!
>>> Peter DW
>>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Re: Implicit flow Question

Posted by Mijathi bvba <pe...@icloud.com>.

So how do we set-up the authorization header on a request to a resource knowing the OAuthRequestFilter will check the request may pass? Is it still Hawk authorization?

> Op 18-dec.-2014 om 17:35 heeft Sergey Beryozkin <sb...@gmail.com> het volgende geschreven:
> 
> Hi Peter
>> On 18/12/14 16:22, Peter De Winter wrote:
>> Hello all,
>> 
>> Short question on the implicit flow with jax-rs.
>> The redirect url with the fragment contains an access_token attribute.
>> Contains a access-token but no secret.
>> So how do you get by the HawkTokenValidator if you have no secret to generate the correct Mac (sha-256) on the client agent?
> I don't think it is possible. Implicit Grant clients qualify as public clients, can not keep the secrets, including a secret mac key.
> 
> Cheers, Sergey
> 
>> Thanks for any help!
>> Peter DW
>

Re: Implicit flow Question

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi Peter
On 18/12/14 16:22, Peter De Winter wrote:
> Hello all,
>
> Short question on the implicit flow with jax-rs.
> The redirect url with the fragment contains an access_token attribute.
> Contains a access-token but no secret.
> So how do you get by the HawkTokenValidator if you have no secret to generate the correct Mac (sha-256) on the client agent?
>
I don't think it is possible. Implicit Grant clients qualify as public 
clients, can not keep the secrets, including a secret mac key.

Cheers, Sergey

> Thanks for any help!
> Peter DW
>