Using OAuth 1.0a with JAX-RS CXF

[nicolasduminil <ni...@simplex-software.fr>]

Hello,

My company is looking to implement an electronic signing solution based on
an external service provider. This service provider provides a set of REST
services which require OAuth 1.0a authentication/authorization. They don't
support 3-leg flow at all, they don't recommend to use 2-leg, but only
1-leg.

Looking at the CXF documentation, I found these two pages:
http://cxf.apache.org/docs/cxf-oauth-10.html,
http://cxf.apache.org/docs/jax-rs-oauth.html, but it is still difficult to
get an idea of what CXF proposes as far as OAuth 1.0a is concerned, and more
specifically 1-leg flow.

Additionally, the links on these pages are broken such that it is not
possible to download neither CXF OAuth 1.0 Extension, as proposed, nore the
samples OAuth Demo Server and OAuth Demo Client.

Last but not least, our REST clients supposed to use OAuth 1.0a will run as
Java EE components deployed on WebSphere 9.0.0.3 which comes with Apache
3.0.3. We don't have the option to use another release of Apache CXF than
the one comming with WebSphere. And customizing Apache CXF 3.0.3 in
WebSphere is probably difficult or not possible given that it comes bundled
in a quite rigid way.

So my questions are: what options would we have here ? Is it possible to use
Apache CXF for these purposes and, if yes, how ? Where can I find examples
of JAX-RS clients ? And how to download and install the required extensions
in the already bundles CXF on WebSphere ?

Many thanks in advance, for your help.

Kind regards,
Nicolas




--
View this message in context: http://cxf.547215.n5.nabble.com/Using-OAuth-1-0a-with-JAX-RS-CXF-tp5780889.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Using OAuth 1.0a with JAX-RS CXF

[Sergey Beryozkin <sb...@gmail.com>]

Hi
On 02/06/17 08:28, nicolasduminil wrote:
> Hi Srgey,
> 
> Thanks for your help. The 1-leg flow, as far as I understood, consists in
> the fact that client doesn’t have to ask for tokens (neither request nor
> access tokens) before accessing protected ressource. Here is an image
> showing the flow (well, if I succeed to insert it):
> 
> <http://cxf.547215.n5.nabble.com/file/n5780904/687474703a2f2f7075752e73682f32706530372e706e67.png>
> 
> So, yes, my task would be to provide the client code able to access
> resources protected by this security algorithm. I had a look at the
> OAuthClientUtils and if it allows me to construt the Authorization header
> with all its bits and bolts, it's already something.
> 
OAuthClientUtils.createAuthorizationHeader checks if Token == null, so 
perhaps it will produce the expected Authorization header, there must've 
been a reason why I added that 'null' check...

> Otherwise it seems that Spring Security would support it also but I'm afraid
> that using Spring Security means using Spring REST as well, which we don't
> want.
SprimgSecurity can work alongside CXF, though I do not see how it can 
help for producing OAuth1.a client requests...

Cheers, Sergey
> 
> Kind regards,
> Nicolas
> 
> 
> 
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Using-OAuth-1-0a-with-JAX-RS-CXF-tp5780889p5780904.html
> Sent from the cxf-user mailing list archive at Nabble.com.
> 

Re: Using OAuth 1.0a with JAX-RS CXF

[nicolasduminil <ni...@simplex-software.fr>]

Hi Srgey,

Thanks for your help. The 1-leg flow, as far as I understood, consists in
the fact that client doesn’t have to ask for tokens (neither request nor
access tokens) before accessing protected ressource. Here is an image
showing the flow (well, if I succeed to insert it):

<http://cxf.547215.n5.nabble.com/file/n5780904/687474703a2f2f7075752e73682f32706530372e706e67.png> 

So, yes, my task would be to provide the client code able to access
resources protected by this security algorithm. I had a look at the
OAuthClientUtils and if it allows me to construt the Authorization header
with all its bits and bolts, it's already something.

Otherwise it seems that Spring Security would support it also but I'm afraid
that using Spring Security means using Spring REST as well, which we don't
want.

Kind regards,
Nicolas



--
View this message in context: http://cxf.547215.n5.nabble.com/Using-OAuth-1-0a-with-JAX-RS-CXF-tp5780889p5780904.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Using OAuth 1.0a with JAX-RS CXF

[Sergey Beryozkin <sb...@gmail.com>]

Can you remind me please what is OAuth1.0a leg about anyway ?
As far as I recall only a 3-leg flow was completely specified.
Perhaps you do not even need any specific utility code for the 1.a 1 leg 
flow

Sergey
On 01/06/17 16:55, Sergey Beryozkin wrote:
> Hi
> 
> It has been many years since some contributions were made to CXF OAuth 
> 1.0a code and I was actually hoping to remove it from the CXF master but 
> we agreed to keep for now. As far as CXF is concerned all the 
> 'investment' goes into the its OAuth2 and OIDC and JOSE code.
> 
> I've updated
> 
> https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth
> 
> see
> 
> https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth#JAX-RSOAuth-Client-sidesupport 
> 
> 
> My understanding your task is really to write a client code which will 
> be able to talk to a 3rd party server which is protected by OAuth1.0 
> filter.
> 
> As far as the client side support for OAuth1.0a is concerned, CXF only 
> offers OAuthClientUtils which can help to correctly format Authorization 
> headers or get some tokens, etc
> 
> Cheers, Sergey
> On 01/06/17 14:35, nicolasduminil wrote:
>> Hello,
>>
>> My company is looking to implement an electronic signing solution 
>> based on
>> an external service provider. This service provider provides a set of 
>> REST
>> services which require OAuth 1.0a authentication/authorization. They 
>> don't
>> support 3-leg flow at all, they don't recommend to use 2-leg, but only
>> 1-leg.
>>
>> Looking at the CXF documentation, I found these two pages:
>> http://cxf.apache.org/docs/cxf-oauth-10.html,
>> http://cxf.apache.org/docs/jax-rs-oauth.html, but it is still 
>> difficult to
>> get an idea of what CXF proposes as far as OAuth 1.0a is concerned, 
>> and more
>> specifically 1-leg flow.
>>
>> Additionally, the links on these pages are broken such that it is not
>> possible to download neither CXF OAuth 1.0 Extension, as proposed, 
>> nore the
>> samples OAuth Demo Server and OAuth Demo Client.
>>
>> Last but not least, our REST clients supposed to use OAuth 1.0a will 
>> run as
>> Java EE components deployed on WebSphere 9.0.0.3 which comes with Apache
>> 3.0.3. We don't have the option to use another release of Apache CXF than
>> the one comming with WebSphere. And customizing Apache CXF 3.0.3 in
>> WebSphere is probably difficult or not possible given that it comes 
>> bundled
>> in a quite rigid way.
>>
>> So my questions are: what options would we have here ? Is it possible 
>> to use
>> Apache CXF for these purposes and, if yes, how ? Where can I find 
>> examples
>> of JAX-RS clients ? And how to download and install the required 
>> extensions
>> in the already bundles CXF on WebSphere ?
>>
>> Many thanks in advance, for your help.
>>
>> Kind regards,
>> Nicolas
>>
>>
>>
>>
>> -- 
>> View this message in context: 
>> http://cxf.547215.n5.nabble.com/Using-OAuth-1-0a-with-JAX-RS-CXF-tp5780889.html 
>>
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
> 
> 


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Re: Using OAuth 1.0a with JAX-RS CXF

[Sergey Beryozkin <sb...@gmail.com>]

Hi

It has been many years since some contributions were made to CXF OAuth 
1.0a code and I was actually hoping to remove it from the CXF master but 
we agreed to keep for now. As far as CXF is concerned all the 
'investment' goes into the its OAuth2 and OIDC and JOSE code.

I've updated

https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth

see

https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth#JAX-RSOAuth-Client-sidesupport

My understanding your task is really to write a client code which will 
be able to talk to a 3rd party server which is protected by OAuth1.0 filter.

As far as the client side support for OAuth1.0a is concerned, CXF only 
offers OAuthClientUtils which can help to correctly format Authorization 
headers or get some tokens, etc

Cheers, Sergey
On 01/06/17 14:35, nicolasduminil wrote:
> Hello,
> 
> My company is looking to implement an electronic signing solution based on
> an external service provider. This service provider provides a set of REST
> services which require OAuth 1.0a authentication/authorization. They don't
> support 3-leg flow at all, they don't recommend to use 2-leg, but only
> 1-leg.
> 
> Looking at the CXF documentation, I found these two pages:
> http://cxf.apache.org/docs/cxf-oauth-10.html,
> http://cxf.apache.org/docs/jax-rs-oauth.html, but it is still difficult to
> get an idea of what CXF proposes as far as OAuth 1.0a is concerned, and more
> specifically 1-leg flow.
> 
> Additionally, the links on these pages are broken such that it is not
> possible to download neither CXF OAuth 1.0 Extension, as proposed, nore the
> samples OAuth Demo Server and OAuth Demo Client.
> 
> Last but not least, our REST clients supposed to use OAuth 1.0a will run as
> Java EE components deployed on WebSphere 9.0.0.3 which comes with Apache
> 3.0.3. We don't have the option to use another release of Apache CXF than
> the one comming with WebSphere. And customizing Apache CXF 3.0.3 in
> WebSphere is probably difficult or not possible given that it comes bundled
> in a quite rigid way.
> 
> So my questions are: what options would we have here ? Is it possible to use
> Apache CXF for these purposes and, if yes, how ? Where can I find examples
> of JAX-RS clients ? And how to download and install the required extensions
> in the already bundles CXF on WebSphere ?
> 
> Many thanks in advance, for your help.
> 
> Kind regards,
> Nicolas
> 
> 
> 
> 
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Using-OAuth-1-0a-with-JAX-RS-CXF-tp5780889.html
> Sent from the cxf-user mailing list archive at Nabble.com.
> 


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/