You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2016/05/26 11:47:36 UTC
svn commit: r989181 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html

Author: buildbot
Date: Thu May 26 11:47:35 2016
New Revision: 989181

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu May 26 11:47:35 2016
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1464259620446 {padding: 0px;}
-div.rbtoc1464259620446 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1464259620446 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464263220130 {padding: 0px;}
+div.rbtoc1464263220130 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464263220130 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1464259620446">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464263220130">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization View</a></li><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
@@ -150,14 +150,14 @@ div.rbtoc1464259620446 li {margin-left:
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul>
 </li></ul>
-</div><h1 id="JAX-RSOAuth2-Introduction">Introduction</h1><p>New:</p><ul style="list-style-type: square;"><li>OAuth2 module now depends on CXF cxf-rt-rs-security-jose module with the utility code in place to support a number of OAuth2 features depending on JOSE <br clear="none"><br clear="none"></li></ul><p>CXF provides the implementation of <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc6749" rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect" href="jax-rs-oauth.html">JAX-RS OAuth</a> page for information about OAuth 1.0.</p><p>Authorization Code, Implicit, Client Credentials, Resource Owner Password Credentials, Refresh Token, SAML2 Assertions and JWT assertion grants are currently supported.</p><p>Custom grant handlers can be registered.</p><p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping end users (resource owners) authorize third-party providers to access their resources.</p><p>The OAuth2 flow which is clos
 ely related to the original OAuth 1.0 3-leg flow is called Authorization Code and involves 3 parties: the end user, the third party service (client) and the resource server which is protected by OAuth2 filters. Typically a client offers a service feature that an end user requests and which requires the former to access one or more protected resources on behalf of this user which are located at the resource server. For example, the client may need to access the end user's photos in order to print them and post to the user or read and possibly update a user's calendar in order to make a booking.</p><p>In order to make it happen, the third-party service application/client needs to register itself with the OAuth2 server. This happens out-of-band and after the registration the client gets back a client key and secret pair. Typically the client is expected to provide the name and description of the application, the application logo URI, one or more redirect URIs, and other information tha
 t may help the OAuth2 authorization server to identify this client to the end user at the authorization time.</p><p>From then on, the authorization code flow works like this:<br clear="none"> 1. End User requests the third-party service using a browser.</p><p>2. The client redirects the end user to OAuth2 Authorization Service, adding its client id, the state, redirect URI and the optional scope to the target URI. The state parameter represents the current end user's request, redirect URI - where the authorization code is expected to be returned to, and the scope is the list of opaque permissions that the client needs in order to access the protected resources.</p><p>3. Authorization Service will retrieve the information about the client using its client id, build an HTML form and return it to the end user. The form will ask the user if a given third-party application can be allowed to access some resources on behalf of this user.</p><p>4. If the user approves it then Authorization 
 Service will generate an authorization code and redirect the user back to the redirect uri provided by the client, also adding a state parameter to the redirect URI.</p><p>5. The client requests an access token from OAuth2 Access Token Service by providing an authorization code grant.</p><p>6. After getting an access token token, the service finally proceeds with accessing the current user's resources and completes the user's request.</p><p>As you can see the flow can be complex yet it is very effective. A number of issues may need to be taken care along the way such as managing expired tokens, making sure that the OAuth2 security layer is functioning properly and is not interfering with the end user itself trying to access its own resources, etc.</p><p>Please check the <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-v2" rel="nofollow">specification</a> and the <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/OAuth#OAut
 h_2.0" rel="nofollow">Wikipedia article</a> as well as other resources available on the WEB for more information you may need to know about OAuth2.</p><p>CXF JAX-RS gives the best effort to making this process as simple as possible and requiring only a minimum effort on behalf of OAuth2 server developers. It also offers the utility code for greatly simplifying the way the third-party application can interact with the OAuth2 service endpoints.</p><h1 id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h1 id="JAX-RSOAuth2-Introduction">Introduction</h1><p>New:</p><ul style="list-style-type: square;"><li>OAuth2 module now depends on CXF cxf-rt-rs-security-jose module with the utility code in place to support a number of OAuth2 features depending on JOSE <br clear="none"><br clear="none"></li></ul><p>CXF provides the implementation of <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc6749" rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect" href="jax-rs-oauth.html">JAX-RS OAuth</a> page for information about OAuth 1.0.</p><p>Authorization Code, Implicit, Client Credentials, Resource Owner Password Credentials, Refresh Token, SAML2 Assertions and JWT assertion grants are currently supported.</p><p>Custom grant handlers can be registered.</p><p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping end users (resource owners) authorize third-party providers to access their resources.</p><p>The OAuth2 flow which is clos
 ely related to the original OAuth 1.0 3-leg flow is called Authorization Code and involves 3 parties: the end user, the third party service (client) and the resource server which is protected by OAuth2 filters. Typically a client offers a service feature that an end user requests and which requires the former to access one or more protected resources on behalf of this user which are located at the resource server. For example, the client may need to access the end user's photos in order to print them and post to the user or read and possibly update a user's calendar in order to make a booking.</p><p>In order to make it happen, the third-party service application/client needs to register itself with the OAuth2 server. This happens out-of-band and after the registration the client gets back a client key and secret pair. Typically the client is expected to provide the name and description of the application, the application logo URI, one or more redirect URIs, and other information tha
 t may help the OAuth2 authorization server to identify this client to the end user at the authorization time.</p><p>From then on, the authorization code flow works like this:<br clear="none"> 1. End User requests the third-party service using a browser.</p><p>2. The client redirects the end user to OAuth2 Authorization Service, adding its client id, the state, redirect URI and the optional scope to the target URI. The state parameter represents the current end user's request, redirect URI - where the authorization code is expected to be returned to, and the scope is the list of opaque permissions that the client needs in order to access the protected resources.</p><p>3. Authorization Service will retrieve the information about the client using its client id, build an HTML form and return it to the end user. The form will ask the user if a given third-party application can be allowed to access some resources on behalf of this user.</p><p>4. If the user approves it then Authorization 
 Service will generate an authorization code and redirect the user back to the redirect uri provided by the client, also adding a state parameter to the redirect URI.</p><p>5. The client requests an access token from OAuth2 Access Token Service by providing an authorization code grant.</p><p>6. After getting an access token token, the service finally proceeds with accessing the current user's resources and completes the user's request.</p><p>As you can see the flow can be complex yet it is very effective. A number of issues may need to be taken care along the way such as managing expired tokens, making sure that the OAuth2 security layer is functioning properly and is not interfering with the end user itself trying to access its own resources, etc.</p><p>Please check the <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc6749" rel="nofollow">specification</a> as well as other resources available on the WEB for more information you may need to know about OAuth2
 .</p><p>CXF JAX-RS gives the best effort to making this process as simple as possible and requiring only a minimum effort on behalf of OAuth2 server developers. It also offers the utility code for greatly simplifying the way the third-party application can interact with the OAuth2 service endpoints.</p><h1 id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;dependency&gt;
   &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
   &lt;artifactId&gt;cxf-rt-rs-security-oauth2&lt;/artifactId&gt;
   &lt;version&gt;3.1.7&lt;/version&gt;
 &lt;/dependency&gt;
 </pre>
-</div></div><h1 id="JAX-RSOAuth2-ClientRegistration">Client Registration</h1><p>Client Registration is typically done out of band, with the the dynamic client registration being also possible.<br clear="none"> The client registration service will offer an HTML form where the clients will enter their details, see a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a> bean for the currently supported properties. </p><h1 id="JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</h1><p>OAuth2 server is the core piece of the complete OAuth2-based solution. Typically it contains 2 services for:<br clear="none"> 1. Authorizing request tokens by asking the end users to let clients access some of their resources and returning the<br clear="none"> grants back to the client (Authorization Service)<br clear="none"> 2. Exchanging the token g
 rants for access tokens (Access Token Service)</p><p>CXF offers several JAX-RS service implementations that can be used to create the OAuth2 servers fast: <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a> and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a> for managing the redirection-based flows, as well as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java">AccessTokenService</a> for exchanging the grants for new tokens.</p><p>Note that some grants that do not
  require the redirection-based support, such as SAML2 one, etc, may only require an Access Token Service be operational.</p><p>All of these services rely on the custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a> which persists the access tokens and converts the opaque scope values to the information that can be presented to the users. Additionally, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a> is an OAuthDataProvider which can keep temporary information about the authorization code grants which needs to be removed after the tokens are requested in exchange.</p><p>Writing your own AuthorizationCodeDataProv
 ider or OAuthDataProvider implementation is what is needed to get the OAuth2 server up and running. In many cases all you need to do is to persist or remove the Authorization Code Grant data, use one of the available utility classes to create a new access token and also persist it or remove the expired one, and finally convert the optional opaque scope values (if any are supported) to a more view-able information.</p><p>CXF 3.1.7 ships JPA2 (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java" rel="nofollow">JPAOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java" rel="nofollow">JPACodeDataProvider</a>), Ehcache (<a shape="rect" class="external-link" href="h
 ttps://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java" rel="nofollow">DefaultEHCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java" rel="nofollow">DefaultEHCacheCodeDataProvider</a>) and JCache ( (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java" rel="nofollow">JCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java" rel="nofollow">JCacheCo
 deDataProvider</a>) provider implementations which take care of all the persistence tasks: saving or removing registered clients, tokens and code grants. These providers can be easily customized. Custom implementations can also extend&#160; <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java" rel="nofollow">AbstractOAuthDataProvider</a> or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java" rel="nofollow">AbstractCodeDataProvider</a>&#160; and only implement their abstract persistence related methods or further customize some of their code.</p><p>&#160;</p><h2 id="JAX-RSOAuth2-AuthorizationService">Authorization Service</h2><p>The main responsibility of OAuth2 Authorizati
 on Service is to present an end user with a form asking the user to allow or deny the client accessing some of the user resources. CXF offers <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a> and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a> for accepting the redirection requests, challenging the end users with the authorization forms, handling the end user decisions and returning the results back to the clients.</p><p>One of the differences between the AuthorizationCode and Implicit flows is that in the latter case the grant is the actual access token which is returned as the URI fragment value. The way the
  end user is asked to authorize the client request is similar between the two flows. In this section we will assume that the Authorization Code flow is being exercized.</p><p>A third-party client redirects the current user to AuthorizationCodeGrantService, for example, here is how a redirection may happen:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><h1 id="JAX-RSOAuth2-ClientRegistration">Client Registration</h1><p>Client Registration is typically done out of band, with the the dynamic client registration being also possible.<br clear="none"> The client registration service will offer an HTML form where the clients will enter their details, see a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java" rel="nofollow">Client</a> bean for the currently supported properties.</p><p>See <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/clients/ClientRegistrationService.java" rel="nofollow">this JAX-RS service implementation</a> for one possible approach.</p><h1 id="JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</h1><p>OAuth2 server is the core piece of the complete OAuth2
 -based solution. Typically it contains 3 services for:<br clear="none"> 1. Authorizing request tokens by asking the end users to let clients access some of their resources and returning the<br clear="none"> grants back to the client (Authorization Service)<br clear="none"> 2. Exchanging the token grants for access tokens (Access Token Service)</p><p>3. Validating access tokens</p><p>&#160;</p><p>CXF offers several JAX-RS service implementations that can be used to create the OAuth2 servers fast: <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java" rel="nofollow">AuthorizationCodeGrantService</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java" rel="nofollow">ImplicitG
 rantService</a> for managing the redirection-based flows, as well as <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java" rel="nofollow">AccessTokenService</a> for exchanging the grants for new tokens.</p><p>All of these services rely on the custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> which persists the access tokens and converts the opaque scope values to the information that can be presented to the users. Additionally, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java" rel
 ="nofollow">AuthorizationCodeDataProvider</a> is an&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> which can keep temporary information about the authorization code grants which needs to be removed after the tokens are requested in exchange.</p><p>Note that some grants that do not require the redirection-based support, such as Client Credentials or SAML2 or JWT assertion grants, and may only require an Access Token Service be operational.</p><p>If your OAuth2 server does support either Authorization Code or Implicit flow then either&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java" rel="nofollow">AuthorizationCodeGrantServi
 ce</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java" rel="nofollow">ImplicitGrantService</a> need to be registered. If both services need to be supported then simply register two of them, but note each service will have its own&#160;@Path segment, "/authorize" and&#160;"/authorize-implicit". If you'd like both services listening on the same path then use <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationService.java" rel="nofollow">AuthorizationService</a> and inject&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java" re
 l="nofollow">AuthorizationCodeGrantService</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java" rel="nofollow">ImplicitGrantService</a> beans into it.</p><p>If no AuthorizationCode redirection flow is supported then implementing <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> is sufficent.</p><p>Writing your own <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java" rel="nofollow">AuthorizationCodeDataProvider</a> is an&#160;<a shape="rect" class="external-link" href="https://git
 hub.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> implementation is what is needed to get the OAuth2 server up and running. In many cases all you need to do is to persist or remove the Authorization Code Grant data, use one of the available utility classes to create a new access token and also persist it or remove the expired one, and finally convert the optional opaque scope values (if any are supported) to a more view-able information.</p><p>CXF ships several default provider implementations, see the section on wirting the providers below.</p><p>&#160;</p><h2 id="JAX-RSOAuth2-AuthorizationService">Authorization Service</h2><p>The main responsibility of OAuth2 Authorization Service is to present an end user with a form asking the user to allow or deny the client accessing some of the user resources. CXF offers&#160; <a shape="rect" class="external-li
 nk" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java" rel="nofollow">AuthorizationCodeGrantService</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java" rel="nofollow">ImplicitGrantService</a> for accepting the redirection requests, challenging the end users with the authorization forms, handling the end user decisions and returning the results back to the clients.</p><p>One of the differences between Authorization Code and Implicit flows is that in the latter case the grant is the actual access token which is returned as the URI fragment value to the client script running in the browser. The way the end user is asked to authorize the client request is similar between the two flows. In this section we w
 ill assume that the Authorization Code flow is being used.</p><p>A third-party client redirects the current user to AuthorizationCodeGrantService, for example, here is how a redirection may happen:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">Response-Code: 303
 Headers: {Location=[http://localhost:8080/services/social/authorize?client_id=123456789&amp;scope=updateCalendar-7&amp;response_type=code
 &amp;redirect_uri=http%3A//localhost%3A8080/services/reservations/reserve/complete&amp;state=1], 
@@ -179,7 +179,7 @@ Referer=[http://localhost:8080/services/
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">12-Apr-2012 13:26:21 org.apache.cxf.rs.security.oauth2.services.AbstractOAuthService checkTransportSecurity
 WARNING: Unsecure HTTP, Transport Layer Security is recommended
 </pre>
-</div></div><p>It can also be configured to reject the requests over un-secure HTTP transport.</p><p>AuthorizationCodeGrantService will retrieve the information about the <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">client application</a> to populate an instance of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a> bean and return it. OAuthAuthorizationData contains application name and URI properties, optional list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s and other properties which can be either
  presented to the user or kept in the hidden form fields in order to uniquely identify the actual authorization request when the end user returns the decision.</p><p>One important OAuthAuthorizationData property is "authenticityToken". It is used for validating that the current session has not been hijacked - AuthorizationCodeGrantService generates a random key, stores it in a Servlet HTTPSession instance and expects the returned authenticityToken value to match it - this is a recommended approach and it also implies that the authenticityToken value is hidden from a user, for example, it's kept in a 'hidden' form field. The other properties which are meant to be hidden are clientId, state, redirectUri, proposedScope.</p><p>The helper "replyTo" property is an absolute URI identifying the AuthorizationCodeGrantService handler processing the user decision and can be used by view handlers when building the forms or by other OAuthAuthorizationData handlers.</p><p>So the populated OAuthAu
 thorizationData is finally returned. Note that it's a JAXB XMLRootElement-annotated bean and can be processed by registered JAXB or JSON providers given that AuthorizationCodeGrantService supports producing "application/xml" and "application/json" (See the OAuth Without Browser section below for more). But in this case we have the end user working with a browser so an HTML form is what is really expected back.</p><p>AuthorizationCodeGrantService supports producing "text/html" and simply relies on a registered <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider">RequestDispatcherProvider</a> to set the OAuthAuthorizationData bean as an HttpServletRequest attribute and redirect the response to a view handler (can be JSP or some other servlet) to actually build the form and return it to the user. See the section below on other alternatives on how a view can be created.</p><p>Assuming RequestDispatcherProvider is used,
  the following example log shows the initial response from AuthorizationCodeGrantService:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>It can also be configured to reject the requests over insecure HTTP transport.</p><p>AuthorizationCodeGrantService will retrieve the information about the <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java" rel="nofollow">client application</a> to populate an instance of <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java" rel="nofollow">OAuthAuthorizationData</a> bean and return it. OAuthAuthorizationData contains application name and URI properties, optional list of <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java" rel="nofollow">Permiss
 ion</a>s and other properties which can be either presented to the user or kept in the hidden form fields in order to uniquely identify the actual authorization request when the end user returns the decision.</p><p>One important OAuthAuthorizationData property is "authenticityToken". It is used for validating that the current session has not been hijacked - AuthorizationCodeGrantService generates a random key, stores it in a Servlet HTTPSession instance and expects the returned authenticityToken value to match it - this is a recommended approach and it also implies that the authenticityToken value is hidden from a user, for example, it's kept in a 'hidden' form field. See also "User Session Authenticity" on how <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java" rel="nofollow">SessionAuthenticityTokenProvider</a> can hel
 p.</p><p>A number of properties which have been submitted to the authorization endpoint with the original user redirect need to be made available after the user has been challenged with the autorization consent form, when the user makes an authorization decision. These are properties such as 'clientId', 'state', 'redirectUri', and other properties, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java" rel="nofollow">this class</a> which is extended by OAuthAuthorizationData. One simple approach is to have a view handler preparing an authorization form with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java" rel="nofollow">OAuthAuthorizationData</a> to have these properties hidden i
 n the form. Another option is to secure them in a session thus making the view creation process much simpler, see "User Session Authenticity" for one example.</p><p>The helper "replyTo" property is an absolute URI identifying the AuthorizationCodeGrantService handler processing the user decision and can be used by view handlers when building the forms or by other OAuthAuthorizationData handlers.</p><p>So the populated OAuthAuthorizationData is finally returned. Note that it's a JAXB XMLRootElement-annotated bean and can be processed by registered JAXB or JSON providers given that AuthorizationCodeGrantService supports producing "application/xml" and "application/json" (See the OAuth Without Browser section below for more). But in this case we have the end user working with a browser so an HTML form is what is really expected back.</p><p>AuthorizationCodeGrantService supports producing "text/html" and simply relies on a registered <a shape="rect" href="http://cxf.apache.org/docs/jax-
 rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider">RequestDispatcherProvider</a> to set the OAuthAuthorizationData bean as an HttpServletRequest attribute and redirect the response to a view handler (can be JSP or some other servlet) to actually build the form and return it to the user. See the section below on other alternatives on how a view can be created.</p><p>Assuming RequestDispatcherProvider is used, the following example log shows the initial response from AuthorizationCodeGrantService:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">12-Apr-2012 13:26:21 org.apache.cxf.jaxrs.provider.RequestDispatcherProvider logRedirection
 INFO: Setting an instance of "org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData" as HttpServletRequest 
 attribute "data" and redirecting the response to "/forms/oauthAuthorize.jsp".
@@ -217,11 +217,11 @@ Authorization=[Basic YmFycnlAcmVzdGF1cmF
 Cookie=[JSESSIONID=1c289vha0cxfe],
 }
 </pre>
-</div></div><p>If a user decision was set to "deny" then the error will be returned to the client.</p><p>Assuming the decision was "allow", the client has now received back the authorization code grant and is ready to exchange it for a new access token.</p><h3 id="JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization View</h3><p>Typically one can use RequestDispatcherProvider to redirect to a view handler like JSP. Overriding RedirectionBasedService.startAuthorization by delegating to the superclass and then converting the Response to HTML or writing a custom MessageBodyWriter that will do the conversion are other two options.</p><p>Yet another option is to register <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-advanced-xml.html#JAX-RSAdvancedXML-XSLTsupport">XSLTJaxbProvider</a> which would convert OAuthAuthorizationData to HTML or JAXBProvider set with a reference to an XSLT stylesheet.</p><h3 id="JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name
  in Authorization Form</h3><p>You may want to display a resource owner/end user name in the authorization form this user will be facing, you can get org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider registered with either AuthorizationCodeGrantService or ImplicitGrantService.<br clear="none"> org.apache.cxf.rs.security.oauth2.provider.DefaultResourceOwnerNameProvider, if registered, will return an actual login name, the custom implementations may choose to return a complete user name instead, etc.</p><h3 id="JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</h3><p>CXF 2.7.7 provides an initial support for public clients (such as various mobile devices).</p><p>Client can be 'public' if it has been registered as a public client with no client secret the service itself has a "canSupportPublicClients" property enabled. The same property will also have to be enabled on AccessTokenService (described in the next section) for a public client without a secret b
 e able to exchange a code grant for an access token.</p><h4 id="JAX-RSOAuth2-OOBResponse">OOB Response</h4><p>If a public client has not registered a redirect URI with the Authorization service then the authorization code can be returned out-of-band (OOB), see <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java">OOBAuthorizationResponse</a> bean. By default, it is returned directly to the end user, unless a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OOBResponseDeliverer.java">OOBResponseDeliverer</a> is registered with AuthorizationCodeGrantService which may deliver it to the client via some custom back channel.</p><p>Having OOB responses supported is useful when a public client (typically a 
 device which can not keep the client secrets and where no redirect URI is supported) needs to get a code grant. What will happen is that a device owner will send a request to Authorization Service which may look like this:</p><div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
+</div></div><p>If a user decision was set to "deny" then the error will be returned to the client.</p><p>Assuming the decision was "allow", the client has now received back the authorization code grant and is ready to exchange it for a new access token.</p><h3 id="JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization View</h3><p>Typically one can use RequestDispatcherProvider to redirect to a view handler like JSP. Overriding RedirectionBasedService.startAuthorization by delegating to the superclass and then converting the Response to HTML or writing a custom MessageBodyWriter that will do the conversion are other two options.</p><p>Yet another option is to register <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-advanced-xml.html#JAX-RSAdvancedXML-XSLTsupport">XSLTJaxbProvider</a> which would convert OAuthAuthorizationData to HTML or JAXBProvider set with a reference to an XSLT stylesheet.</p><h3 id="JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name
  in Authorization Form</h3><p>You may want to display a resource owner/end user name in the authorization form this user will be facing, you can get org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider registered with either AuthorizationCodeGrantService or ImplicitGrantService.<br clear="none"> org.apache.cxf.rs.security.oauth2.provider.DefaultResourceOwnerNameProvider, if registered, will return an actual login name, the custom implementations may choose to return a complete user name instead, etc.</p><h3 id="JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</h3><p>Client can be 'public' if it has been registered as a public client with no client secret the service itself has a "canSupportPublicClients" property enabled. The same property will also have to be enabled on AccessTokenService (described in the next section) for a public client without a secret be able to exchange a code grant for an access token.</p><h4 id="JAX-RSOAuth2-OOBResponse">OOB Res
 ponse</h4><p>If a public client has not registered a redirect URI with the Authorization service then the authorization code can be returned out-of-band (OOB), see <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java" rel="nofollow">OOBAuthorizationResponse</a> bean. By default, it is returned directly to the end user, unless a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OOBResponseDeliverer.java" rel="nofollow">OOBResponseDeliverer</a> is registered with AuthorizationCodeGrantService which may deliver it to the client via some custom back channel.</p><p>Having OOB responses supported is useful when a public client (typically a device which can not keep the client secrets and where no redirect 
 URI is supported) needs to get a code grant. What will happen is that a device owner will send a request to Authorization Service which may look like this:</p><div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
 <pre>GET
 http://localhost:8080/services/social/authorize?client_id=mobileClient&amp;response_type=code   
 </pre>
-</div></div><p>Assuming the 'mobileClient' has been registered as public one with no secret and the service has been set up to support such clients, the end user will get a chance to authorize this client the same way it can do confidential clients, and after this user gets back a code (delivered directly in the response HTML page by default) the user will enter the code securely into the device which will then replace it for a time-scoped access token by contacting AccessTokenService.</p><h4 id="JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure code acquisition with redirect URI</h4><p>The following <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-sakimura-oauth-tcse-02" rel="nofollow">extension</a> is supported to help public clients with redirect URIs to accept the code securely staring from CXF 3.0.0-milestone2.</p><p>The public (mobile) client will include a 'code_verifier' value when requesting the authorization code and it will be saved by 
 Authorization service, with the help of the registered AuthorizationCodeDataProvider into an instance of ServerAuthorizationCodeGrant. The client will next request a token providing the 'code' and 'code_challenge' - the latter will be compared by AuthorizationCodeGrantHandler with the original 'code_verifier'. By default, the 'code_challenge' is expected to be equal to the original 'code_verifier', but the grant handler can be registered with the custom org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer - CXF ships a DigestCodeVerifierTransformer which implements a transformation mentioned in the extension.</p><h2 id="JAX-RSOAuth2-AccessTokenService">AccessTokenService</h2><p>The role of AccessTokenService is to exchange a token grant for a new access token which will be used by the client to access the end user's resources. <br clear="none"> Here is an example request log:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelCont
 ent pdl">
+</div></div><p>Assuming the 'mobileClient' has been registered as public one with no secret and the service has been set up to support such clients, the end user will get a chance to authorize this client the same way it can do confidential clients, and after this user gets back a code (delivered directly in the response HTML page by default) the user will enter the code securely into the device which will then replace it for a time-scoped access token by contacting AccessTokenService.</p><h4 id="JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure code acquisition with redirect URI</h4><p>The following <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-oauth-spop-15" rel="nofollow">extension</a> is supported to help public clients with redirect URIs to accept the code securely.</p><p>The public (mobile) client will include a 'code_verifier' value when requesting the authorization code and it will be saved by Authorization service, with the help 
 of the registered AuthorizationCodeDataProvider into an instance of ServerAuthorizationCodeGrant. The client will next request a token providing the 'code' and 'code_challenge' - the latter will be compared by AuthorizationCodeGrantHandler with the original 'code_verifier'. By default, the 'code_challenge' is expected to be equal to the original 'code_verifier', but the grant handler can be registered with the custom org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer - CXF ships a DigestCodeVerifier which implements a transformation mentioned in the extension.</p><p>&#160;</p><h2 id="JAX-RSOAuth2-AccessTokenService">AccessTokenService</h2><p>The role of AccessTokenService is to exchange a token grant for a new access token which will be used by the client to access the end user's resources. <br clear="none"> Here is an example request log:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">Address: http://localhost:8080/services/oauth/token
 Http-Method: POST
 
@@ -370,7 +370,7 @@ ModelEncryptionSupport.decryptAccessToke
    // OAuthDataProvider methods
 }
 </pre>
-</div></div><p>CustomOAuthProvider will also remove all tokens associated with a given Client in removeClient(String cliendId).</p><p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java">OAuthPermission</a>s. AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes are used in the first place). In the former case AuthorizationCodeGrantService will use this list to populate <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a> - the reason this bean only sees <a shape="rect" class="external-link" href="http://svn.apache.org/repos
 /asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s is that some of the properties OAuthPermission keeps are of no interest to OAuthAuthorizationData handlers.</p><h3 id="JAX-RSOAuth2-DefaultProviders">Default Providers</h3><p>Starting from CXF 3.0.2 default Ehcache-based and encrypting&#160; OAuthDataProvider and AuthorizationCodeDataProvider implementations are shipped.</p><p>org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider and&#160;org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider use Ehcache to store grant, client, access and refresh token data.</p><p>org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider and&#160;org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider use an auto-generated or provided Java symmetric SecretKey to store grant, access and refresh token data.</p><p>Users are encoura
 ged to experiment with these default providers, customize them if needed and provide the feedback.</p><p>Users implementing their own persistence strategy may consider extending org.apache.cxf.rs.security.oauth2.grants.code.AbstractAuthorizationCodeDataProvider or org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider - these classes might help with taking care of some basic data initialization and check routines.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS endpoints</h2><p>With CXF offering OAuth service implementations and a custom OAuthDataProvider provider in place, it is time to deploy the OAuth2 server. <br clear="none"> Most likely, you'd want to deploy AccessTokenService as an independent JAX-RS endpoint, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>CustomOAuthProvider will also remove all tokens associated with a given Client in removeClient(String cliendId).</p><p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java">OAuthPermission</a>s. AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes are used in the first place). In the former case AuthorizationCodeGrantService will use this list to populate <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a> - the reason this bean only sees <a shape="rect" class="external-link" href="http://svn.apache.org/repos
 /asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s is that some of the properties OAuthPermission keeps are of no interest to OAuthAuthorizationData handlers.</p><h3 id="JAX-RSOAuth2-DefaultProviders">Default Providers</h3><p>CXF 3.1.7 ships JPA2 (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java" rel="nofollow">JPAOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java" rel="nofollow">JPACodeDataProvider</a>), Ehcache (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/sec
 urity/oauth2/provider/DefaultEHCacheOAuthDataProvider.java" rel="nofollow">DefaultEHCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java" rel="nofollow">DefaultEHCacheCodeDataProvider</a>) and JCache (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java" rel="nofollow">JCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java" rel="nofollow">JCacheCodeDataProvider</a>) provider implementations which take care of all the persistence tasks: saving or removing reg
 istered clients, tokens and code grants. These providers can be easily customized.</p><p>Custom implementations can also extend&#160; <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java" rel="nofollow">AbstractOAuthDataProvider</a> or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java" rel="nofollow">AbstractCodeDataProvider</a>&#160; and only implement their abstract persistence related methods or further customize some of their code.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS endpoints</h2><p>With CXF offering OAuth service implementations and a custom OAuthDataProvider provider in place, it is time to deploy the OAuth2 server. <br clear="no
 ne"> Most likely, you'd want to deploy AccessTokenService as an independent JAX-RS endpoint, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;!-- implements OAuthDataProvider --&gt;
 &lt;bean id="oauthProvider" class="oauth.manager.OAuthManager"/&gt;
      
@@ -416,7 +416,7 @@ ModelEncryptionSupport.decryptAccessToke
   &lt;/jaxrs:serviceBeans&gt;
 &lt;/jaxrs:server&gt;
 </pre>
-</div></div><p>AuthorizationCodeGrantService listens on a relative "/authorize" path so in this case its absolute address will be something like "http://localhost:8080/services/myapp/authorize". This address and that of AccessTokenService will be used by third-party clients.</p><h1 id="JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client Authentication</h1><p>When a client requests a token from Access Token Service, it needs to get authenticated. Providing its client_id and client secret as part of Basic Authorization scheme or posting them directly as form parameters are typical options, however other authentication schemes can easily be supported if required.</p><p>For example, using client certificates or assertions like SAML2 Bearer or JWT is all acceptable - the only additional requirement in this case is that a given security filter processing a specific authentication scheme maps the client credentials to an actual client_id - CXF Access Token Service will check a 
 "client_id" property on the current message context as the last resort. Note that org.apache.cxf.rs.security.oauth2.provider.ClientIdProvider can be registered with AccessTokenService to facilitate the mapping between an authenticated client and its id expected by the data provider if the container or filter based authentication can not set a "client_id" contextual property.</p><p>If a Basic authentication scheme is used and neither the container or filter has authenticated the client AccessTokenService will request a Client from the data provider and compare the Client's secret against the password found in the Basic scheme data. org.apache.cxf.rs.security.oauth2.provider.ClientSecretVerifier is available starting from CXF 3.0.3 to support Clients saving only password hashes. Its org.apache.cxf.rs.security.oauth2.provider.ClientSecretHashVerifier (calculates a SHA-256 password hash and compares it with the Client's secret) or custom implementations can be registered with AccessToke
 nService.</p><p>If a 2-way TLS is sued to authenticate a client and Client has a Base64 encoded representations of its X509Certificates available in its "applicationCertificates" property then AccessTokenService will do the additional comparison of these certificates against the ones available in the current TLS session.</p><p>Please see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for more information on how it may work.</p><h1 id="JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</h1><p>Redirection-based Authorization Code and Implicit flows depend on end users signing in if needed during the initial redirection, challenged with the client authorization form and returning their decision. By default, CXF will enforce the user session authenticity by keeping the session state in a servlet container's HTTPSession. If the alternative storage is preferred then you can register a new <a shape="rect" class="external-link" href="htt
 p://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java">SessionAuthenticityTokenProvider</a> (available from CXF 2.6.4) with either AuthorizationCodeGrantService or ImplicitGrantService beans.</p><h3 id="JAX-RSOAuth2-Keepingthestateinthesession">Keeping the state in the session</h3><p>Note that <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java">SessionAuthenticityTokenProvider</a> has been further updated in CXF 3.1.0 to support signing and/or encrypting some of the redirection properties that would otherwise have to be kept as HTML form hidden fields (see "Authorization Service" section).</p><p>CXF&#160; ships org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider that can be used as a <a shape
 ="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java">SessionAuthenticityTokenProvider</a> which JWS-signs and/or JWE-encrypts the properties and saves the result in the session. The HTML authorization forms will only have to have an "authenticityToken" property which the provider will use to match the session signed/encryped data and decrypt and/or validate the session data.</p><h3 id="JAX-RSOAuth2-MultipleFactorVerification">Multiple Factor Verification</h3><p>Note that <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java">SessionAuthenticityTokenProvider</a> has been updated in CXF 3.0.2 to accept request parameters and a reference to the authenticated user. This allo
 ws for introducing a multiple factor session verification: when the provider created a session property it can for example sent a message to a user's mobile phone expect the authorization consent form return the sent value.</p><p>The other minor enhancement is that RedirectionBasedGrantService will check the authorization content form for the name of the form property that contains a session authentication property, using a "session_authenticity_token_param_name" property name. This allows for the 'rotation' of hidden form properties containing the actual session authenticity values.</p><h1 id="JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End User Subject initialization</h1><p>By default, redirection based authorization services will the the current CXF SecurityContext to initialize a subject representing the authenticated resource owner/end user. If the customization if needed: custom CXF filter can be used to create UserSubject and set it on the message or org
 .apache.cxf.rs.security.oauth2.provider.SubjectCreator interface implementation can be registered with either AuthorizationCodeGrantService or ImplicitGrantService.</p><h1 id="JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</h1><p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java">OAuthRequestFilter</a> request handler can be used to protect the resource server when processing the requests from the third-party clients. Add it as a jaxrs:provider to the endpoint which deals with the clients requesting the resources.</p><p>When checking a request like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>AuthorizationCodeGrantService listens on a relative "/authorize" path so in this case its absolute address will be something like "http://localhost:8080/services/myapp/authorize". This address and that of AccessTokenService will be used by third-party clients.</p><h1 id="JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client Authentication</h1><p>When a client requests a token from Access Token Service, it needs to get authenticated. Providing its client_id and client secret as part of Basic Authorization scheme or posting them directly as form parameters are typical options, however other authentication schemes can easily be supported if required.</p><p>For example, using client certificates or assertions like SAML2 Bearer or JWT is all acceptable - the only additional requirement in this case is that a given security filter processing a specific authentication scheme maps the client credentials to an actual client_id - CXF Access Token Service will check a 
 "client_id" property on the current message context as the last resort. Note that org.apache.cxf.rs.security.oauth2.provider.ClientIdProvider can be registered with AccessTokenService to facilitate the mapping between an authenticated client and its id expected by the data provider if the container or filter based authentication can not set a "client_id" contextual property.</p><p>If a Basic authentication scheme is used and neither the container or filter has authenticated the client AccessTokenService will request a Client from the data provider and compare the Client's secret against the password found in the Basic scheme data. org.apache.cxf.rs.security.oauth2.provider.ClientSecretVerifier is available starting from CXF 3.0.3 to support Clients saving only password hashes. Its org.apache.cxf.rs.security.oauth2.provider.ClientSecretHashVerifier (calculates a SHA-256 password hash and compares it with the Client's secret) or custom implementations can be registered with AccessToke
 nService.</p><p>If a 2-way TLS is sued to authenticate a client and Client has a Base64 encoded representations of its X509Certificates available in its "applicationCertificates" property then AccessTokenService will do the additional comparison of these certificates against the ones available in the current TLS session.</p><p>Please see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for more information on how it may work.</p><h1 id="JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</h1><p>Redirection-based Authorization Code and Implicit flows depend on end users signing in if needed during the initial redirection, challenged with the client authorization form and returning their decision. By default, CXF will enforce the user session authenticity by keeping the session state in a servlet container's HTTPSession. If the alternative storage is preferred then you can register a new <a shape="rect" class="external-link" href="htt
 ps://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java" rel="nofollow">SessionAuthenticityTokenProvider</a> with either AuthorizationCodeGrantService or ImplicitGrantService beans.</p><p>CXF ships <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java" rel="nofollow">JoseSessionTokenProvider </a>which uses <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> to create a compact JWS and/or JWE sequence capturing all the data which need to be available when the user returns an authorization form decision and this secure sequence becomes a session token.</p><h3 id="JAX-RSOAuth2-Keepingthestateinthesession">Keeping the state in the session</h3><p>Note that <a shape="rect" class="external-link" href
 ="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java">SessionAuthenticityTokenProvider</a> has been further updated in CXF 3.1.0 to support signing and/or encrypting some of the redirection properties that would otherwise have to be kept as HTML form hidden fields (see "Authorization Service" section).</p><p>CXF&#160; ships org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider that can be used as a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java">SessionAuthenticityTokenProvider</a> which JWS-signs and/or JWE-encrypts the properties and saves the result in the session. The HTML authorization forms will only have to have an "authenticityToken" property which the provider will use to mat
 ch the session signed/encryped data and decrypt and/or validate the session data.</p><h3 id="JAX-RSOAuth2-MultipleFactorVerification">Multiple Factor Verification</h3><p>Note that <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java">SessionAuthenticityTokenProvider</a> has been updated in CXF 3.0.2 to accept request parameters and a reference to the authenticated user. This allows for introducing a multiple factor session verification: when the provider created a session property it can for example sent a message to a user's mobile phone expect the authorization consent form return the sent value.</p><p>The other minor enhancement is that RedirectionBasedGrantService will check the authorization content form for the name of the form property that contains a session authentication property, using a "session_authenticity_to
 ken_param_name" property name. This allows for the 'rotation' of hidden form properties containing the actual session authenticity values.</p><h1 id="JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End User Subject initialization</h1><p>By default, redirection based authorization services will the the current CXF SecurityContext to initialize a subject representing the authenticated resource owner/end user. If the customization if needed: custom CXF filter can be used to create UserSubject and set it on the message or org.apache.cxf.rs.security.oauth2.provider.SubjectCreator interface implementation can be registered with either AuthorizationCodeGrantService or ImplicitGrantService.</p><h1 id="JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</h1><p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OA
 uthRequestFilter.java">OAuthRequestFilter</a> request handler can be used to protect the resource server when processing the requests from the third-party clients. Add it as a jaxrs:provider to the endpoint which deals with the clients requesting the resources.</p><p>When checking a request like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">Address: http://localhost:8080/services/thirdPartyAccess/calendar
 Http-Method: GET
 Headers: