You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Steven Tippetts (JIRA)" <ji...@apache.org> on 2012/11/28 00:32:58 UTC

[jira] [Created] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

Steven Tippetts created CXF-4656:
------------------------------------

             Summary: [OAuth 2] Add attributes property to UserSubject object
                 Key: CXF-4656
                 URL: https://issues.apache.org/jira/browse/CXF-4656
             Project: CXF
          Issue Type: Improvement
    Affects Versions: 2.7.0, 2.6.3
            Reporter: Steven Tippetts


I need to be able to provide a few authentication attributes to my endpoints along with the login and roles. These attributes are things like the principal's id or name and come from the authentication provider. An "attributes" property that is a Map<String, String> in the UserSubject object would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13505579#comment-13505579 ] 

Sergey Beryozkin commented on CXF-4656:
---------------------------------------

Thanks for the update; 

I wonder if you doing it right or not... The token subject is the end user subject which was created by ImplicitGrantService by calling on the implementation of AuthorizationCodeDataProvider, it is not a very good name for the provider used with the Implict service :-) but the responsibility of the provider implementing AuthorizationCodeDataProvider is the same really whether the code or implicit grant is used...

So when this subject is created by ImplicitGrantService, only the principal name and roles if any are added - I'll need to make it easier to customize it by at least making the method where it is done protected, but at the moment it is not even possible to customize it. 

Next, AccessTokenService is expected to use org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler - you can def write your own but the point is that it is exactly that  subject that was created at the previous step which is supposed to be presented as the token subject to the data provider - otherwise, if the token subject is set to be the same as the client subject then the filter will let the client access the resources of all the end users...

Can you have a look please at AuthorizationCodeGrantHandler ? Do you use it and if you don't then is it what you do to in your custom grant handler ?

thanks



                
> [OAuth 2] Add attributes property to UserSubject object
> -------------------------------------------------------
>
>                 Key: CXF-4656
>                 URL: https://issues.apache.org/jira/browse/CXF-4656
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Steven Tippetts
>
> I need to be able to provide a few authentication attributes to my endpoints along with the login and roles. These attributes are things like the principal's id or name and come from the authentication provider. An "attributes" property that is a Map<String, String> in the UserSubject object would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Resolved] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sergey Beryozkin resolved CXF-4656.
-----------------------------------

       Resolution: Fixed
    Fix Version/s: 2.7.1
                   2.6.4
         Assignee: Sergey Beryozkin
    
> [OAuth 2] Add attributes property to UserSubject object
> -------------------------------------------------------
>
>                 Key: CXF-4656
>                 URL: https://issues.apache.org/jira/browse/CXF-4656
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Steven Tippetts
>            Assignee: Sergey Beryozkin
>             Fix For: 2.6.4, 2.7.1
>
>
> I need to be able to provide a few authentication attributes to my endpoints along with the login and roles. These attributes are things like the principal's id or name and come from the authentication provider. An "attributes" property that is a Map<String, String> in the UserSubject object would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506034#comment-13506034 ] 

Steven Tippetts commented on CXF-4656:
--------------------------------------

Perfect, thank you.
                
> [OAuth 2] Add attributes property to UserSubject object
> -------------------------------------------------------
>
>                 Key: CXF-4656
>                 URL: https://issues.apache.org/jira/browse/CXF-4656
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Steven Tippetts
>
> I need to be able to provide a few authentication attributes to my endpoints along with the login and roles. These attributes are things like the principal's id or name and come from the authentication provider. An "attributes" property that is a Map<String, String> in the UserSubject object would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13505545#comment-13505545 ] 

Steven Tippetts commented on CXF-4656:
--------------------------------------

Sorry for including too few details. The process I need the change in is when AccessTokenValidatorService on the OAuth server returns the AccessTokenValidation which contains a UserSubject named tokenSubject.  I create the UserSubject in the getAccessToken method of my ImplicitDataProvider object and add it to the ServerAccessToken that is returned from that method.  I've saved these attributes with the other token data in my database and want to return them when a token has been successfully validated by the OAuth server.
                
> [OAuth 2] Add attributes property to UserSubject object
> -------------------------------------------------------
>
>                 Key: CXF-4656
>                 URL: https://issues.apache.org/jira/browse/CXF-4656
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Steven Tippetts
>
> I need to be able to provide a few authentication attributes to my endpoints along with the login and roles. These attributes are things like the principal's id or name and come from the authentication provider. An "attributes" property that is a Map<String, String> in the UserSubject object would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13505460#comment-13505460 ] 

Sergey Beryozkin commented on CXF-4656:
---------------------------------------

Are you referring to the out-of-band client registration process and specifically to Client UserSubject ?
                
> [OAuth 2] Add attributes property to UserSubject object
> -------------------------------------------------------
>
>                 Key: CXF-4656
>                 URL: https://issues.apache.org/jira/browse/CXF-4656
>             Project: CXF
>          Issue Type: Improvement
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Steven Tippetts
>
> I need to be able to provide a few authentication attributes to my endpoints along with the login and roles. These attributes are things like the principal's id or name and come from the authentication provider. An "attributes" property that is a Map<String, String> in the UserSubject object would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13505998#comment-13505998 ] 

Sergey Beryozkin commented on CXF-4656:
---------------------------------------

Hi - I've completely got confused with all the grants - thanks for reminding and explaining how ImplicitGrantService is supposed to work :-)

That is it - I'll do that method protected and next we can think of customizing it further somehow...

I'm fine with setting the extra attributes - however Map is tricky to deal with when JAXB is involved if the validation is done remotely; I'd like to avoid adding type adapters for getting the map marshalled... So I think of introducing a utility Property class (name, value fields) and then keeping them in a List...I'll think more about it...



  

                
> [OAuth 2] Add attributes property to UserSubject object
> -------------------------------------------------------
>
>                 Key: CXF-4656
>                 URL: https://issues.apache.org/jira/browse/CXF-4656
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Steven Tippetts
>
> I need to be able to provide a few authentication attributes to my endpoints along with the login and roles. These attributes are things like the principal's id or name and come from the authentication provider. An "attributes" property that is a Map<String, String> in the UserSubject object would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steven Tippetts updated CXF-4656:
---------------------------------

    Component/s: JAX-RS Security
    
> [OAuth 2] Add attributes property to UserSubject object
> -------------------------------------------------------
>
>                 Key: CXF-4656
>                 URL: https://issues.apache.org/jira/browse/CXF-4656
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Steven Tippetts
>
> I need to be able to provide a few authentication attributes to my endpoints along with the login and roles. These attributes are things like the principal's id or name and come from the authentication provider. An "attributes" property that is a Map<String, String> in the UserSubject object would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13505888#comment-13505888 ] 

Steven Tippetts commented on CXF-4656:
--------------------------------------

Because I'm using the implicit grant type I don't have a grant handler.

I forgot to mention in my last comment that I had to change RedirectionBasedGrantService.java to make createUserSubject protected instead of private (line 237). I then did an Override on that method that creates a UserSubject with the principal, roles, and attributes.  I think this is what you were referring to in your comment about making it easier to customize.

After the UserSubject is created in my createUserSubject, it is then passed into ImplicitGrantService, which is put into an AccessTokenRegistration, which is passed to my OAuthDataProvider's createAccessToken method.  In that method, in addition to creating the token, I save the token information to my database, including the additional attributes from the UserSubject object. The access token is then returned to the client. The client then sends this token to an endpoint and requests information.

When the endpoint validates the token with the OAuth server, the getAccessToken method on my OAuthDataProvider is called.  I load the token information from my database, including the additional UserSubject attributes, and create the ServerAccessToken.  This token is then passed to the endpoint.  The endpoint can then use the OAuthContext to access the UserSubject attributes.

I hope this makes sense and helps.  Thanks!
                
> [OAuth 2] Add attributes property to UserSubject object
> -------------------------------------------------------
>
>                 Key: CXF-4656
>                 URL: https://issues.apache.org/jira/browse/CXF-4656
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Steven Tippetts
>
> I need to be able to provide a few authentication attributes to my endpoints along with the login and roles. These attributes are things like the principal's id or name and come from the authentication provider. An "attributes" property that is a Map<String, String> in the UserSubject object would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira