You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Peter De Winter <pe...@mijathi.be> on 2014/03/25 11:50:34 UTC
CXF JAX-RS OAUTH2 audiences, why bean property based check in
handleTokenRequest?
Hello,
Looking at the current implementation we have noticed there are multiple
checks happening on audiences on handling a token request. One of the checks
raises some questions for us. The handleTokenRequest method in
AccessTokenService has check being done on the presence of the audience
passed through the request in the a pre populated List property of the
AccessTokenService. The way we go about this is to fill the List of
audiences in the spring bean configuration. This however makes the list
fairly static. Wouldn't it make more sense to add a implementable method in
OauthDataProvider to fetch a list of "active" audience by consulting the
clients?
@Path("/token")
public class AccessTokenService extends AbstractTokenService {
private List<AccessTokenGrantHandler> grantHandlers = new
LinkedList<AccessTokenGrantHandler>();
private List<String> audiences = new LinkedList<String>();
...
@POST
@Consumes("application/x-www-form-urlencoded")
@Produces("application/json")
public Response handleTokenRequest(MultivaluedMap<String, String>
params) {
...
try {
checkAudience(params);
} catch (OAuthServiceException ex) {
return super.createErrorResponseFromBean(ex.getError());
}
Thanks,
Peter
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-JAX-RS-OAUTH2-audiences-why-bean-property-based-check-in-handleTokenRequest-tp5741813.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF JAX-RS OAUTH2 audiences, why bean property based check in
handleTokenRequest?
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 25/03/14 10:50, Peter De Winter wrote:
> Hello,
>
> Looking at the current implementation we have noticed there are multiple
> checks happening on audiences on handling a token request. One of the checks
> raises some questions for us. The handleTokenRequest method in
> AccessTokenService has check being done on the presence of the audience
> passed through the request in the a pre populated List property of the
> AccessTokenService. The way we go about this is to fill the List of
> audiences in the spring bean configuration. This however makes the list
> fairly static. Wouldn't it make more sense to add a implementable method in
> OauthDataProvider to fetch a list of "active" audience by consulting the
> clients?
>
This AccessTokenService property represents a list pf audiences known to
this specific service instance.
Each Client may have its own unique audience value and
AccessTokenService may validate it.
But note, having AccessTokenService validating it is optional. If the
list is empty the validation at this level is skipped; it is there
simply to minimize the amount of OAuth2-related work the actual
providers have to do, the idea is for them to focus on the data storage
activities...
But you can defer the validation and let the provider do it, the
audience property is passed along with AccessTokenRegistration bean
HTH, Sergey
>
> @Path("/token")
> public class AccessTokenService extends AbstractTokenService {
> private List<AccessTokenGrantHandler> grantHandlers = new
> LinkedList<AccessTokenGrantHandler>();
> private List<String> audiences = new LinkedList<String>();
>
> ...
>
> @POST
> @Consumes("application/x-www-form-urlencoded")
> @Produces("application/json")
> public Response handleTokenRequest(MultivaluedMap<String, String>
> params) {
>
> ...
>
> try {
> checkAudience(params);
> } catch (OAuthServiceException ex) {
> return super.createErrorResponseFromBean(ex.getError());
> }
>
> Thanks,
>
> Peter
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-JAX-RS-OAUTH2-audiences-why-bean-property-based-check-in-handleTokenRequest-tp5741813.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com