cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > JAX-RS OAuth
Date Tue, 08 Nov 2011 11:32:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth">JAX-RS
OAuth</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~sergey_beryozkin">Sergey
Beryozkin</a>
    </h4>
        <br/>
                         <h4>Changes (6)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >The classical OAuth flow is also called
a 3-leg OAuth flow as it involves 3 parties: the end user (resource owner), the third party
service (client, consumer) and the resource server which is protected by OAuth filters. Typically
a consumer offers a service feature that an end user requests and which requires the former
to access one or more resources of this end user which are located at the resource server.
For example, the consumer may need to access the end user&#39;s photos in order to print
them and post to the user or read and possibly update a user&#39;s calendar in order to
make a booking. <br> <br></td></tr>
            <tr><td class="diff-unchanged" >In order to make it happen, the third-party
service application/consumer needs to register itself with the OAuth server. This happens
out-of-band and after the registration the consumer gets back a consumer key and secret pair.
For example, see this page for one [approach|http://code.google.com/apis/accounts/docs/RegistrationForWebAppsAuto.html].
The registrations of third-party application does not have to be very involved for simpler
applications.   <br></td></tr>
            <tr><td class="diff-unchanged" > <br>From then on, the typical
flows works like this: <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >7. After getting an access token token,
the service finally proceeds with accessing the current user&#39;s resources and completes
the user&#39;s request. <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">As
noted above, the consumer needs to register first with the OAuth server. It&#39;s a good
practice to provide an application name and so called connect URI which is typically a public
URI of this application; the former will be used by OAuth Authorization Service at step 4
above and the latter will be used at step 2 to validate the provided callback URI to make
sure it starts from the URI which was actually provided during the registration. <br>
<br></td></tr>
            <tr><td class="diff-unchanged" >As you can see the flow can be complex
yet it is functional. A number of issues may need to be taken care along the way such as managing
expired tokens, making sure that the OAuth security layer is functioning properly and is not
interfering with the end user itself trying to access its own resources, etc. <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >Please check the [specification|http://tools.ietf.org/html/rfc5849]
and the [Wikipedia article|http://en.wikipedia.org/wiki/OAuth] as well as other resources
available on the WEB for more information you may need to know about OAuth.  <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h1. Maven dependencies <br>
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>h1. Developing OAuth Servers
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h1.
Client-side support <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>OAuth server is the core piece of the complete OAuth-based solution. Typically it
contains 3 services for: <br>- Initiating the flows by issuing temporarily tokens to
consumers <br>- Authorizing request tokens by asking the end users to let consumers
access some of their resources and returning the <br>  confirmation back to the consumer
<br>- Exchanging authorized request tokens for access tokens <br> <br>CXF
offers 3 JAX-RS service implementations that can be used to create functional OAuth servers
fast: [RequestTokenService|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenService.java],
[AuthorizationRequestService|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java]
and [AccessTokenService|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenService.java].
<br> <br>All of these 3 services rely on the custom [OAuthDataProvider|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/OAuthDataProvider.java]
which manages request and access tokens. Writing your own OAuthDataProvider implementations
is what is needed to get the OAuth server up and running. <br> <br>h2. RequestTokenService
  <br> <br>The main responsibility of [RequestTokenService|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenService.java]
is to create a temporarily request token and return it back to the consumer. It supports POST
and GET requests and return a form payload containing the new request token and its secret.
<br> <br>Here is an example request log: <br>{code:xml} <br>Address:
http://localhost:8080/services/oauth/initiate <br>Encoding: ISO-8859-1 <br>Http-Method:
POST <br>Content-Type: */* <br>Headers: { <br>Accept=[application/x-www-form-urlencoded],
 <br> <br>Content-Length=[0], <br> <br>Authorization=[OAuth oauth_callback=&quot;http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete&quot;,
 <br>                     oauth_nonce=&quot;e365fa02-772e-4e33-900d-00a766ccadf8&quot;,
 <br>                     oauth_consumer_key=&quot;123456789&quot;,  <br>
                    oauth_signature_method=&quot;HMAC-SHA1&quot;,  <br>    
                oauth_timestamp=&quot;1320748683&quot;,  <br>              
      oauth_version=&quot;1.0&quot;,  <br>                     oauth_signature=&quot;ztTQuqaJS7L6dNQwn%2Fqi1MdaqQQ%3D&quot;]
 <br>} <br>{code} <br> <br>It is an empty POST request which includes
an Authorization OAuth header. The value of the header has a consumer key (obtained during
the third-party registration), callback URI pointing to where AuthorizationRequestService
will return an authorized token and a signature which was calculated using a consumer key
and secret pair as [described in the specification|http://tools.ietf.org/html/rfc5849#section-3.4.2].
<br> <br>First RequestTokenService validates the signature and then it retrieves
a [Client|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java]
instance from OAuthDataProvider using a consumer key. <br> <br>Before asking OAuthDataProvider
to generate a request token, it attempts to validate a callback URI against a [Client|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java]&#39;s
application URI. <br> <br>Finally it delegates to OAuthDataProvider to create
a request token, passing to it a populated [RequestTokenRegistration|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/RequestTokenRegistration.java]
bean.  <br> <br>This bean references a Client instance, callback URI and a state.
State is something that a consumer may also include during the request token request using
a &quot;state&quot; parameter and will be returned back to the consumer alongside
the verifier after the request token has been authorized. For example, it may represent a
key that a consumer will use to retrieve the state of the request that it was processing when
requesting a token. For OAuth 1.0 <br>consumers, the request token itself may represent
a good enough key for such purposes, but &quot;state&quot; may need to be used too
and will become more useful for OAuth 2.0. <br> <br>The bean also includes &quot;issuedAt&quot;
and &quot;lifetime&quot; values which represent the time a new token is about to be
created and a configurable time in milliseconds that this token will &#39;live&#39;
for. OAuthDataProvider will be free to reset those values if needed before actually creating
a request token. <br> <br>Finally, two more properties may be set on this bean
instance: list of scopes and uris. List of scopes represents optional permissions that the
consumer may need to access the resources and a list of URIs represents an optional list of
relative URIs the consumer will want to use. These can be provided by &quot;x_oauth_scope&quot;
(just &quot;scope&quot; in OAuth 2.0) and &quot;x_oauth_uri&quot; request
parameters, for example, <br> <br>{code:xml} <br>Authorization=[OAuth ...,
 <br>                     x_oauth_scope=&quot;readCalendar updateCalendar&quot;,
 <br>                     x_oauth_uri=&quot;/calendar&quot;] <br>{code}
  <br> <br>These two parameters will be covered later. <br> <br>After
a new request token has been created by OAuthDataProvider, RequestTokenService returns the
token key and secret pair to the consumer: <br> <br>{code:xml} <br>Response-Code:
200 <br>Content-Type: application/x-www-form-urlencoded <br>Headers: {Date=[Tue,
08 Nov 2011 10:38:03 GMT]} <br>Payload:  <br>oauth_callback_confirmed=true&amp;oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2&amp;oauth_token_secret=ca8273df-b9b0-43f9-9875-cfbb54ced550
<br>{code} <br> <br>The consumer is now ready to redirect the current end
user to [AuthorizationRequestService|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java].
<br> <br>h2. AuthorizationRequestService <br> <br>h2. AccessTokenService
 <br> <br>h1. Writing OAuthDataProvider <br></td></tr>
            <tr><td class="diff-unchanged" >h1. Protecting resources with OAuth
filters <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h1.
Client-side support <br></td></tr>
            <tr><td class="diff-unchanged" >h1. 2-leg OAuth flow <br>h1.
Design considerations <br>h2. Sharing the same URI path between end users and consumers
<br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h1.
3-leg flow on the wire <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h1. What Is Next <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>Fine tuning the current OAuth 1.0 will be continued and the feedback from the implementers
will be welcomed. <br>OAuth 2.0 is going to become a very major specification in the
whole RESTful space and CXF will implement the selected OAuth 2.0 profiles. Among other things,
OAuth 2.0 will also rely on SAML in one of the extensions and we&#39;ll look into it too.
Writing a complete OAuth application will most likely require some SSO solution so some support
from CXF is likely to come too. <br> <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> JAX-RS: OAuth </span></p>


<div>
<ul>
    <li><a href='#JAX-RSOAuth-Introduction'>Introduction</a></li>
    <li><a href='#JAX-RSOAuth-Mavendependencies'>Maven dependencies</a></li>
    <li><a href='#JAX-RSOAuth-DevelopingOAuthServers'>Developing OAuth Servers</a></li>
<ul>
    <li><a href='#JAX-RSOAuth-RequestTokenService'>RequestTokenService</a></li>
    <li><a href='#JAX-RSOAuth-AuthorizationRequestService'>AuthorizationRequestService</a></li>
    <li><a href='#JAX-RSOAuth-AccessTokenService'>AccessTokenService</a></li>
</ul>
    <li><a href='#JAX-RSOAuth-WritingOAuthDataProvider'>Writing OAuthDataProvider</a></li>
    <li><a href='#JAX-RSOAuth-ProtectingresourceswithOAuthfilters'>Protecting
resources with OAuth filters</a></li>
    <li><a href='#JAX-RSOAuth-Clientsidesupport'>Client-side support</a></li>
    <li><a href='#JAX-RSOAuth-2legOAuthflow'>2-leg OAuth flow</a></li>
    <li><a href='#JAX-RSOAuth-Designconsiderations'>Design considerations</a></li>
<ul>
    <li><a href='#JAX-RSOAuth-SharingthesameURIpathbetweenendusersandconsumers'>Sharing
the same URI path between end users and consumers</a></li>
</ul>
    <li><a href='#JAX-RSOAuth-WhatIsNext'>What Is Next</a></li>
</ul></div>

<h1><a name="JAX-RSOAuth-Introduction"></a>Introduction</h1>

<p>CXF 2.5.0 implements <a href="http://tools.ietf.org/html/rfc5849" class="external-link"
rel="nofollow">OAuth 1.0</a>. </p>

<p>While <a href="http://oauth.net/2/" class="external-link" rel="nofollow">OAuth
2.0</a> (which is very close to becoming the final recommendation) is the next major
version of OAuth, OAuth 1.0 is being supported by many providers and the CXF OAuth module
should make it easy for developers to start writing OAuth applications, be it OAuth 1.0 or
OAuth 2.0 once the latter gets implemented.   </p>

<p>OAuth offers a complex yet elegant solution toward helping the end users (resource
owners) authorize third-party providers to access their resources.</p>

<p>The classical OAuth flow is also called a 3-leg OAuth flow as it involves 3 parties:
the end user (resource owner), the third party service (client, consumer) and the resource
server which is protected by OAuth filters. Typically a consumer offers a service feature
that an end user requests and which requires the former to access one or more resources of
this end user which are located at the resource server. For example, the consumer may need
to access the end user's photos in order to print them and post to the user or read and possibly
update a user's calendar in order to make a booking.</p>

<p>In order to make it happen, the third-party service application/consumer needs to
register itself with the OAuth server. This happens out-of-band and after the registration
the consumer gets back a consumer key and secret pair. For example, see this page for one
<a href="http://code.google.com/apis/accounts/docs/RegistrationForWebAppsAuto.html" class="external-link"
rel="nofollow">approach</a>. The registrations of third-party application does not
have to be very involved for simpler applications.  </p>

<p>From then on, the typical flows works like this:<br/>
1. End User requests the third-party service using a browser.</p>

<p>2. Third-party service requests a temporarily request token from OAuth RequestToken
Service; this token will represent a consumer's intention to access whatever end user resources
it needs to complete the current user's request.</p>

<p>3. After getting a request token back, the consumer redirects the end user to OAuth
Authorization Service and adds the request token to the target URI.</p>

<p>4. Authorization Service will get all the details about the current consumer using
a request token, build an HTML form and return it to the end user. The form will ask the user
if a given third-party application can be allowed to access some resources on behalf of this
user.     </p>

<p>5. If the user approves it then Authorization Service will redirect the user back
to the callback uri provided by the consumer when requesting a request token, including a
generated verifier (authorization key) which 'links' the user's approval with the request
token. </p>

<p>6. Now the third-party service requests an access token from OAuth AccessToken Service
by providing a request token and its verifier. </p>

<p>7. After getting an access token token, the service finally proceeds with accessing
the current user's resources and completes the user's request.</p>

<p>As noted above, the consumer needs to register first with the OAuth server. It's
a good practice to provide an application name and so called connect URI which is typically
a public URI of this application; the former will be used by OAuth Authorization Service at
step 4 above and the latter will be used at step 2 to validate the provided callback URI to
make sure it starts from the URI which was actually provided during the registration.</p>

<p>As you can see the flow can be complex yet it is functional. A number of issues may
need to be taken care along the way such as managing expired tokens, making sure that the
OAuth security layer is functioning properly and is not interfering with the end user itself
trying to access its own resources, etc.</p>

<p>CXF JAX-RS gives the best effort to making this process as simple as possible and
requiring only a minimum effort on behalf of OAuth server developers.<br/>
It also offers the utility code for greatly simplifying the way the third-party application
can interact with the OAuth service endpoints.</p>

<p>Now, as far this particular 3-leg flow is concerned, OAuth 2.0 simplifies it by effectively
making the steps 3 and 6 (requests for request and access tokens) redundant. Moving to OAuth
2.0 will be straightforward after learning how to build OAuth 1.0 servers with CXF. </p>

<p>Please check the <a href="http://tools.ietf.org/html/rfc5849" class="external-link"
rel="nofollow">specification</a> and the <a href="http://en.wikipedia.org/wiki/OAuth"
class="external-link" rel="nofollow">Wikipedia article</a> as well as other resources
available on the WEB for more information you may need to know about OAuth. </p>

<h1><a name="JAX-RSOAuth-Mavendependencies"></a>Maven dependencies</h1>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;dependency&gt;</span>
  <span class="code-tag">&lt;groupId&gt;</span>org.apache.cxf<span
class="code-tag">&lt;/groupId&gt;</span>
  <span class="code-tag">&lt;artifactId&gt;</span>cxf-rt-rs-security-oauth<span
class="code-tag">&lt;/artifactId&gt;</span>
  <span class="code-tag">&lt;version&gt;</span>2.5.0<span class="code-tag">&lt;/version&gt;</span>
<span class="code-tag">&lt;/dependency&gt;</span>
</pre>
</div></div>

<h1><a name="JAX-RSOAuth-DevelopingOAuthServers"></a>Developing OAuth Servers</h1>

<p>OAuth server is the core piece of the complete OAuth-based solution. Typically it
contains 3 services for:</p>
<ul class="alternate" type="square">
	<li>Initiating the flows by issuing temporarily tokens to consumers</li>
	<li>Authorizing request tokens by asking the end users to let consumers access some
of their resources and returning the<br/>
  confirmation back to the consumer</li>
	<li>Exchanging authorized request tokens for access tokens</li>
</ul>


<p>CXF offers 3 JAX-RS service implementations that can be used to create functional
OAuth servers fast: <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenService.java"
class="external-link" rel="nofollow">RequestTokenService</a>, <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java"
class="external-link" rel="nofollow">AuthorizationRequestService</a> and <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenService.java"
class="external-link" rel="nofollow">AccessTokenService</a>.</p>

<p>All of these 3 services rely on the custom <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/OAuthDataProvider.java"
class="external-link" rel="nofollow">OAuthDataProvider</a> which manages request
and access tokens. Writing your own OAuthDataProvider implementations is what is needed to
get the OAuth server up and running.</p>

<h2><a name="JAX-RSOAuth-RequestTokenService"></a>RequestTokenService  </h2>

<p>The main responsibility of <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenService.java"
class="external-link" rel="nofollow">RequestTokenService</a> is to create a temporarily
request token and return it back to the consumer. It supports POST and GET requests and return
a form payload containing the new request token and its secret.</p>

<p>Here is an example request log:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
Address: http://localhost:8080/services/oauth/initiate
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: */*
Headers: {
Accept=[application/x-www-form-urlencoded], 

Content-Length=[0],

Authorization=[OAuth oauth_callback=<span class="code-quote">"http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete"</span>,

                     oauth_nonce=<span class="code-quote">"e365fa02-772e-4e33-900d-00a766ccadf8"</span>,

                     oauth_consumer_key=<span class="code-quote">"123456789"</span>,

                     oauth_signature_method=<span class="code-quote">"HMAC-SHA1"</span>,

                     oauth_timestamp=<span class="code-quote">"1320748683"</span>,

                     oauth_version=<span class="code-quote">"1.0"</span>, 
                     oauth_signature=<span class="code-quote">"ztTQuqaJS7L6dNQwn%2Fqi1MdaqQQ%3D"</span>]

}
</pre>
</div></div>

<p>It is an empty POST request which includes an Authorization OAuth header. The value
of the header has a consumer key (obtained during the third-party registration), callback
URI pointing to where AuthorizationRequestService will return an authorized token and a signature
which was calculated using a consumer key and secret pair as <a href="http://tools.ietf.org/html/rfc5849#section-3.4.2"
class="external-link" rel="nofollow">described in the specification</a>.</p>

<p>First RequestTokenService validates the signature and then it retrieves a <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java"
class="external-link" rel="nofollow">Client</a> instance from OAuthDataProvider using
a consumer key.</p>

<p>Before asking OAuthDataProvider to generate a request token, it attempts to validate
a callback URI against a <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java"
class="external-link" rel="nofollow">Client</a>'s application URI.</p>

<p>Finally it delegates to OAuthDataProvider to create a request token, passing to it
a populated <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/RequestTokenRegistration.java"
class="external-link" rel="nofollow">RequestTokenRegistration</a> bean. </p>

<p>This bean references a Client instance, callback URI and a state. State is something
that a consumer may also include during the request token request using a "state" parameter
and will be returned back to the consumer alongside the verifier after the request token has
been authorized. For example, it may represent a key that a consumer will use to retrieve
the state of the request that it was processing when requesting a token. For OAuth 1.0<br/>
consumers, the request token itself may represent a good enough key for such purposes, but
"state" may need to be used too and will become more useful for OAuth 2.0.</p>

<p>The bean also includes "issuedAt" and "lifetime" values which represent the time
a new token is about to be created and a configurable time in milliseconds that this token
will 'live' for. OAuthDataProvider will be free to reset those values if needed before actually
creating a request token.</p>

<p>Finally, two more properties may be set on this bean instance: list of scopes and
uris. List of scopes represents optional permissions that the consumer may need to access
the resources and a list of URIs represents an optional list of relative URIs the consumer
will want to use. These can be provided by "x_oauth_scope" (just "scope" in OAuth 2.0) and
"x_oauth_uri" request parameters, for example,</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
Authorization=[OAuth ..., 
                     x_oauth_scope=<span class="code-quote">"readCalendar updateCalendar"</span>,

                     x_oauth_uri=<span class="code-quote">"/calendar"</span>]
</pre>
</div></div>  

<p>These two parameters will be covered later.</p>

<p>After a new request token has been created by OAuthDataProvider, RequestTokenService
returns the token key and secret pair to the consumer:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
Response-Code: 200
Content-Type: application/x-www-form-urlencoded
Headers: {Date=[Tue, 08 Nov 2011 10:38:03 GMT]}
Payload: 
oauth_callback_confirmed=true&amp;oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2&amp;oauth_token_secret=ca8273df-b9b0-43f9-9875-cfbb54ced550
</pre>
</div></div>

<p>The consumer is now ready to redirect the current end user to <a href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java"
class="external-link" rel="nofollow">AuthorizationRequestService</a>.</p>

<h2><a name="JAX-RSOAuth-AuthorizationRequestService"></a>AuthorizationRequestService</h2>

<h2><a name="JAX-RSOAuth-AccessTokenService"></a>AccessTokenService </h2>

<h1><a name="JAX-RSOAuth-WritingOAuthDataProvider"></a>Writing OAuthDataProvider</h1>
<h1><a name="JAX-RSOAuth-ProtectingresourceswithOAuthfilters"></a>Protecting
resources with OAuth filters</h1>
<h1><a name="JAX-RSOAuth-Clientsidesupport"></a>Client-side support</h1>
<h1><a name="JAX-RSOAuth-2legOAuthflow"></a>2-leg OAuth flow</h1>
<h1><a name="JAX-RSOAuth-Designconsiderations"></a>Design considerations</h1>
<h2><a name="JAX-RSOAuth-SharingthesameURIpathbetweenendusersandconsumers"></a>Sharing
the same URI path between end users and consumers</h2>

<h1><a name="JAX-RSOAuth-WhatIsNext"></a>What Is Next</h1>

<p>Fine tuning the current OAuth 1.0 will be continued and the feedback from the implementers
will be welcomed.<br/>
OAuth 2.0 is going to become a very major specification in the whole RESTful space and CXF
will implement the selected OAuth 2.0 profiles. Among other things, OAuth 2.0 will also rely
on SAML in one of the extensions and we'll look into it too. Writing a complete OAuth application
will most likely require some SSO solution so some support from CXF is likely to come too.</p>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27830330&revisedVersion=9&originalVersion=8">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message