You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2021/01/26 08:57:14 UTC

svn commit: r1070572 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oidc.html

Author: buildbot
Date: Tue Jan 26 08:57:14 2021
New Revision: 1070572

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oidc.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oidc.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oidc.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oidc.html Tue Jan 26 08:57:14 2021
@@ -117,11 +117,11 @@ Apache CXF -- JAX-RS OIDC
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1611647797324 {padding: 0px;}
-div.rbtoc1611647797324 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1611647797324 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1611651393669 {padding: 0px;}
+div.rbtoc1611651393669 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1611651393669 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1611647797324">
+/*]]>*/</style></p><div class="toc-macro rbtoc1611651393669">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSOIDC-Introduction">Introduction</a></li><li><a shape="rect" href="#JAXRSOIDC-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAXRSOIDC-IdTokenandUserInfo">IdToken and UserInfo</a></li><li><a shape="rect" href="#JAXRSOIDC-OIDCIDPsupport">OIDC IDP support</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSOIDC-OIDCFlowServices">OIDC Flow Services</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSOIDC-AuthorizationCodeFlow">Authorization Code Flow</a></li><li><a shape="rect" href="#JAXRSOIDC-ImplicitFlow">Implicit Flow</a></li><li><a shape="rect" href="#JAXRSOIDC-HybridFlow">Hybrid Flow</a></li></ul>
@@ -135,7 +135,7 @@ div.rbtoc1611647797324 li {margin-left:
     &lt;artifactId&gt;cxf-rt-rs-security-sso-oidc&lt;/artifactId&gt;
     &lt;version&gt;3.1.7&lt;/version&gt;
 &lt;/dependency&gt;</pre>
-</div></div><h1 id="JAXRSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a> which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a> and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a> by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p><
 p>One way to populate it is to register a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java" rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService. For example, <a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared by Fediz Authenticators and creates IdToken by converting an already available SAML token to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubj
 ect.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal may already have a prepared IdToken.&#160;</p><p>The other approach is to create IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this case IdToken will need to be populated first and then converted to either JWS or JWE sequence and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant property at the moment the grant is persisted, if it is the implicit flow - set it as a token property at the moment the token is persisted. This approach is a bit more involved but creating a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way IdToken is created is container/implementation specific. Creatin
 g IdToken is the main requirement for integrating CXF OIDC code with the 3rd party container.</p><p>Finally, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140" rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> to create IdToken at the mo
 ment it needs to be returned to the client application.&#160;</p><p>IdToken can provide enough information for the client application to work with the current user. However, the client can get more information about the user from OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides&#160;<span class="pl-smi">&#160;</span><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a> One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or 
 let CXF OIDCUserInfo service create it as described below.</p><h1 id="JAXRSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC IDP code provides JAX-RS services for supporting OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth" rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all OIDC response types</a>.</p><p>Services for supporting <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo requests</a> and ret
 urning IdToken <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Signing" rel="nofollow">signature verification keys</a> are also shipped.&#160;</p><h2 id="JAXRSOIDC-OIDCFlowServices">OIDC Flow Services</h2><h3 id="JAXRSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a> extension which enforces OIDC specific constraints.&#160;</p><p>This service issues a code grant, while&#160;<a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> returns Access and Id tokens.&#160;</p><p><a s
 hape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>) is where IdToken is actually added to the client response.</p><h3 id="JAXRSOIDC-ImplicitFlow">Implicit Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService extension which enforces OIDC specific constraints and adds IdToken to the client response. To include the idToken, you may need to add a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org
 /apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> implementation to <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a>.</p><h3 id="JAXRSOIDC-HybridFlow">Hybrid Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java" rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main
 /java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a>.&#160;To include the idToken, you&#160;may need to add&#160;a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> implementation to <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java" rel="nofollow">OidcHybridService.</a></p><h2 id="JAXRSOIDC-UserInfoEndpoint">UserInfo Endpoint</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect" class="external-link" href="
 https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> is accessed by a client which uses the access token issued to it during the user authentication process.</p><h2 id="JAXRSOIDC-JWKKeysService">JWK Keys Service</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/o
 rg/apache/cxf/rs/security/oidc/idp/OidcKeysService.java" rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public verification JWK key. By default only a public key is returned but the service can also be configured for JWK key to include the corresponding&#160; X509 certificate chain too.&#160; Use this service if IdToken is signed by a private RSA or EC key for the client be able to fetch the verification keys without having to import them into local key stores. The OidcKeysService can also return a public key stored in a JWK keys file, by specifying the id of the key via "rs.security.keystore.alias" and specifying the type of the keystore ("rs.security.keystore.type") as "jwk".</p><h2 id="JAXRSOIDC-OidcDynamicRegistrationService">OidcDynamicRegistrationService</h2><p>This service is available starting from CXF 3.1.8. It supports the dynamic client <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7591" rel="nofollow">registration</a> a
 nd <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7592" rel="nofollow">management</a> with <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-registration-1_0.html" rel="nofollow">OIDC specific properties</a> being handled too. At the moment some of the advanced registration properties are not yet processed and linked to the way the core OIDC services operate but the service will be enhanced as needed going forward.</p><h2 id="JAXRSOIDC-OidcConfigurationService">OidcConfigurationService</h2><p>This service is available starting from CXF 3.1.8. It supports OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" rel="nofollow">server configuration</a> queries at ".well-known/openid-configuration".</p><h1 id="JAXRSOIDC-FedizOIDCIDP">Fediz OIDC IDP</h1><p><a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> project provides a reference in
 tegration between CXF OIDC IDP code and Fediz Authentication System. It has <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> supported with a minimum amount of code and configuration.</p><p>It creates IdToken in a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">SubjectCreator</a> as described above. Currently it depends on CXF Ehcache <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47" rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is needed. Besides that it provides a support for managing the client registrations. <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webap
 p/WEB-INF/applicationContext.xml" rel="nofollow">It registers</a> OIDC services as JAX-RS endpoints.</p><p>While some implementation details may change going forward (example, the alternative data provider may get introduced, etc), for the most part it shows that creating IdToken is what is really needed to get the container integrated with the CXF OIDC code.</p><h1 id="JAXRSOIDC-OIDCRPsupport">OIDC RP support</h1><p>OIDC RP client support is needed for the client application to redirect a user to OIDC IDP, get and validate IdToken, optionally get UserInfo, and make both IdToken and UserInfo easily accessible to the client application code.</p><h2 id="JAXRSOIDC-Demos">Demos</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query" rel="nofollow">BigQuery</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_qu
 ery/src/main/java/demo/jaxrs/server/BigQueryService.java" rel="nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code to support interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.</p><p>For example, the context is <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L51" rel="nofollow">injected</a> and used to get <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68" rel="nofollow">the access token<
 /a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75" rel="nofollow">the user info</a>. See <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70" rel="nofollow">the context</a> with the comments on how to configure RP filters.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc" rel="nofollow">BasicOidc</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java" rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS server. This server works wit
 h an HTTP Browser client which uses Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in its code</p><p><br clear="none"></p><p><br clear="none"></p></div>
+</div></div><h1 id="JAXRSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a> which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a> and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a> by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p><
 p>One way to populate it is to register a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java" rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService. For example, <a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared by Fediz Authenticators and creates IdToken by converting an already available SAML token to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubj
 ect.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal may already have a prepared IdToken.&#160;</p><p>The other approach is to create IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this case IdToken will need to be populated first and then converted to either JWS or JWE sequence and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant property at the moment the grant is persisted, if it is the implicit flow - set it as a token property at the moment the token is persisted. This approach is a bit more involved but creating a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way IdToken is created is container/implementation specific. Creatin
 g IdToken is the main requirement for integrating CXF OIDC code with the 3rd party container.</p><p>Finally, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140" rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> to create IdToken at the mo
 ment it needs to be returned to the client application.&#160;</p><p>IdToken can provide enough information for the client application to work with the current user. However, the client can get more information about the user from OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides&#160;<span class="pl-smi">&#160;</span><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a> One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or 
 let CXF OIDCUserInfo service create it as described below.</p><h1 id="JAXRSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC IDP code provides JAX-RS services for supporting OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth" rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all OIDC response types</a>.</p><p>Services for supporting <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo requests</a> and ret
 urning IdToken <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Signing" rel="nofollow">signature verification keys</a> are also shipped.&#160;</p><h2 id="JAXRSOIDC-OIDCFlowServices">OIDC Flow Services</h2><h3 id="JAXRSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a> extension which enforces OIDC specific constraints.&#160;</p><p>This service issues a code grant, while&#160;<a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> returns Access and Id tokens.&#160;</p><p><a s
 hape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>) is where IdToken is actually added to the client response.</p><h3 id="JAXRSOIDC-ImplicitFlow">Implicit Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService extension which enforces OIDC specific constraints and adds IdToken to the client response. In order to return an id_token, the OidcImplicitService should be configured as follows:</p><ol><li>If the response_type is "id_token token", then the <a shape="rect" class=
 "external-link" href="https://github.com/apache/cxf/blob/43cc974bd09b7fa5f6f4c9d49d12d548773f2f13/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> should be configured on the OidcImplicitService. The IdTokenResponseFilter in turn needs to know how to create an IdToken, so it must be configured with a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> implementation.</li><li>If the response_type is "id_token", then a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> implementation should be configured directly on the OidcImplicitService.</li></ol><h3 id="JAXRSOIDC-
 HybridFlow">Hybrid Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java" rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a>.</p><h2 id="JAXRSOIDC-UserInfoEndpoint">UserInfo Endpoint</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserI
 nfoService.java" rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> is accessed by a client which uses the access token issued to it during the user authentication process.</p><h2 id="JAXRSOIDC-JWKKeysService">JWK Keys Service</h2><p><
 a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java" rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public verification JWK key. By default only a public key is returned but the service can also be configured for JWK key to include the corresponding&#160; X509 certificate chain too.&#160; Use this service if IdToken is signed by a private RSA or EC key for the client be able to fetch the verification keys without having to import them into local key stores. The OidcKeysService can also return a public key stored in a JWK keys file, by specifying the id of the key via "rs.security.keystore.alias" and specifying the type of the keystore ("rs.security.keystore.type") as "jwk".</p><h2 id="JAXRSOIDC-OidcDynamicRegistrationService">OidcDynamicRegistrationService</h2><p>This service is available starting from CXF 3.1.8. It supports the dynam
 ic client <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7591" rel="nofollow">registration</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7592" rel="nofollow">management</a> with <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-registration-1_0.html" rel="nofollow">OIDC specific properties</a> being handled too. At the moment some of the advanced registration properties are not yet processed and linked to the way the core OIDC services operate but the service will be enhanced as needed going forward.</p><h2 id="JAXRSOIDC-OidcConfigurationService">OidcConfigurationService</h2><p>This service is available starting from CXF 3.1.8. It supports OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" rel="nofollow">server configuration</a> queries at ".well-known/openid-configuration".</p><h1 id="JAXRSOIDC-FedizOIDCIDP">Fediz 
 OIDC IDP</h1><p><a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> project provides a reference integration between CXF OIDC IDP code and Fediz Authentication System. It has <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> supported with a minimum amount of code and configuration.</p><p>It creates IdToken in a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">SubjectCreator</a> as described above. Currently it depends on CXF Ehcache <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47" rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is needed. Besides that it provides a support for managing the client registratio
 ns. <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml" rel="nofollow">It registers</a> OIDC services as JAX-RS endpoints.</p><p>While some implementation details may change going forward (example, the alternative data provider may get introduced, etc), for the most part it shows that creating IdToken is what is really needed to get the container integrated with the CXF OIDC code.</p><h1 id="JAXRSOIDC-OIDCRPsupport">OIDC RP support</h1><p>OIDC RP client support is needed for the client application to redirect a user to OIDC IDP, get and validate IdToken, optionally get UserInfo, and make both IdToken and UserInfo easily accessible to the client application code.</p><h2 id="JAXRSOIDC-Demos">Demos</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query" rel="nofollow">BigQuery</a> <a shape="rec
 t" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java" rel="nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code to support interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.</p><p>For example, the context is <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L51" rel="nofollow">injected</a> and used to get <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main
 /release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68" rel="nofollow">the access token</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75" rel="nofollow">the user info</a>. See <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70" rel="nofollow">the context</a> with the comments on how to configure RP filters.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc" rel="nofollow">BasicOidc</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/Id
 TokenService.java" rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS server. This server works with an HTTP Browser client which uses Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in its code</p><p><br clear="none"></p><p><br clear="none"></p></div>
            </div>
            <!-- Content -->
          </td>