cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r909428 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html docs/json-web-tokens.html
Date Tue, 20 May 2014 16:46:50 GMT
Author: buildbot
Date: Tue May 20 16:46:49 2014
New Revision: 909428

Log:
Production update by buildbot for cxf

Added:
    websites/production/cxf/content/docs/json-web-tokens.html
Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue May 20 16:46:49 2014
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</h1><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1397227677908 {padding: 0px;}
-div.rbtoc1397227677908 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1397227677908 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1400604383351 {padding: 0px;}
+div.rbtoc1400604383351 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1400604383351 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1397227677908">
+/*]]>*/</style></p><div class="toc-macro rbtoc1400604383351">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS:
OAuth2</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization
Service</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser
Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients(Devices)">Public
Clients (Devices)</a>
@@ -131,7 +131,7 @@ div.rbtoc1397227677908 li {margin-left: 
 </li><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access
Token Types</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-HAWK">HAWK</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-MAC">MAC</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Encryptedtokens">Encrypted
tokens</a>
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-UsingSecretKeys">Using
Secret Keys</a></li><li><a shape="rect" href="#JAX-RSOAuth2-UsingCertificates">Using
Certificates</a></li><li><a shape="rect" href="#JAX-RSOAuth2-UsingCertificatesandSecretKeys">Using
Certificates and Secret Keys</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-UsingSecretKeys">Using
Secret Keys</a></li><li><a shape="rect" href="#JAX-RSOAuth2-UsingCertificates">Using
Certificates</a></li><li><a shape="rect" href="#JAX-RSOAuth2-UsingCertificatesandSecretKeys">Using
Certificates and Secret Keys</a></li><li><a shape="rect" href="#JAX-RSOAuth2-EncryptedJWTTokens">Encrypted
JWT Tokens</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-Customtokens">Custom tokens</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and Audience</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a>
@@ -348,7 +348,7 @@ return token;
 // decrypt a token given a token key
 
 ModelEncryptionSupport.decryptAccessToken(this, encryptedToken, key);]]></script>
-</div></div><pre>&#160;</pre><h5 id="JAX-RSOAuth2-UsingCertificates">Using
Certificates</h5><p>Working with the certificates to encrypt the state is similar
to working with the symmetric keys. Please check the code examples in <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java">EncryptionsUtilsTest</a>.</p><p>One
needs to load a Certificate, use its public key to encrypt and the private key to decrypt.
using the certificate to encrypt the whole serialized token representation might be marginally
slower compared to using the symmetric keys, however given that the sequence is about 300+
characters maximum the performance can be reasonable.</p><h5 id="JAX-RSOAuth2-UsingCertificatesandSecretKeys">Using
Certificates and Secret Keys</h5><p>The other approach is to generate a secret
key, use this key to encrypt the token and then use the certi
 ficate to encrypt the key. The encrypted token and the actual encrypted secret key can be
returned to the client as a token parameter, for example, as a 'key' parameter. This 'key'
parameter will need to be returned to the OAuth2 server, via the HTTP header or the custom
authorization scheme. The data providers using this mechanism will need to implement AccessTokenValidator
and decrypt the encrypted key with the private certificate key, and decrypt the token with
the decrypted secret key. Please check the code example in <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java">EncryptionsUtilsTest</a>.</p><p>&#160;</p><h4
id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If needed, users can use
their own custom token types, with the only restriction that the custom token type implementations
have to extend org.apache.cxf.rs.security.oaut
 h2.common.ServerAccessToken.</p><h4 id="JAX-RSOAuth2-SimpleTokensandAudience">Simple
Tokens and Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect" class="external-link"
href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00" rel="nofollow">audience</a>
parameter is supported during the client token requests.</p><h3 id="JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</h3><p>The
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a>
is a CXF specific OAuth2 service for accepting the remote access token validation requests.
Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party
client and will ask AccessTokenValidationService to return the information relevant to the
current access token, before setting up a sec
 urity context. More on it below.</p><h2 id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java">TokenRevocationService</a>
is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh
tokens they own themselves, please see <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09"
rel="nofollow">OAuth2 Token Revocation Draft</a> for more information.</p><p>TokenRevocationService
and AccessTokenService share the same code which enforces that the clients have been correctly
authenticated.</p><p>Note, OAuthDataProvider implementations processing a revocation
request should simply ignore the invalid tokens as recommended by the specification which
will let TokenRevocationService return HTTP 200 wh
 ich is done to minimize a possible attack surface (specifically for bad clients not to see
if their requests failed or succeeded) and throw the exceptions only if the token revocation
feature is not currently supported.</p><h2 id="JAX-RSOAuth2-SupportedGrants">Supported
Grants</h2><p>The following subsections briefly describe how the well-known grant
types can be supported on the server side. Please also check the "Client Side Support" section
on how to use the related <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java">AccessTokenGrant</a>
implementations to request the access tokens.</p><h3 id="JAX-RSOAuth2-AuthorizationCode">Authorization
Code</h3><p>As described above, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2
 /services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a>
service and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Authorization Code flow.</p><p>The
code that the client receives in the end of the redirection process will need to be exchanged
for a new access token with AccessTokenService. CXF-based clients can use a helper <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit
grant is supported the same way Authorizat
 ion Code grant is except that the response to the client running within a web browser is
formatted differently, using URI fragments.</p><p><a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a>
service and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Implicit flow.</p><p>Note the only
difference is the use of ImplicitGrantService instead of AuthorizationCodeGrantService.</p><p>Also
note that when an Implicit grant client (running within a browser) replaces the code grant
for a new access token and tries to access the end user's resource, Cross Origin Resource
Shar
 ing (CORS) support will most likely need to be enabled on the end user's resource server.<br
clear="none"> The simplest approach is to register a CXF <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-cors.html">CORS
filter</a>, right before OAuth2 filter (see on it below).</p><p>Starting
from CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered Client
id to the browser-hosted client. This is recommended so that the client can verify that the
token is meant to be delivered to this client.</p><h3 id="JAX-RSOAuth2-ClientCredentials">Client
Credentials</h3><p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java">ClientCredentialsGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients
can use a helper <a shape="rect" class="external-li
 nk" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java">ClientCredentialsGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource
Owner Password Credentials</h3><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java">ResourceOwnerGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients
can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java">ResourceOwnerGrant</a>
bean to request a new access token with OAut
 hClientUtils.</p><h3 id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The
client can issue a refresh token grant if the current access token it owns has expired or
been revoked and the refresh token was issued alongside with the access token which is now
invalid and get the new, 'refreshed' access token. This can allow the client to avoid seeking
a new authorization approval from the end user.</p><p>Register <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java">RefreshTokenGrantHandler</a>
handler with AccessTokenService for this grant be supported. Note this grant handler is only
useful for refreshing the existing access token, so one or more of the other grant handlers
(Authorization Code, Implicit, etc) will also have to be registered with AccessTokenService.</p><p>CXF-based
clients can use a helper <a shape="rect" cla
 ss="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrant.java">RefreshTokenGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-Assertions">Assertions</h3><p>SAML2
Bearer and JWT assertions can be used as token grants.</p><p>Please see <a
shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section
for more information.</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If
you need to customize the way the well-known grant requests are handled then consider extending
one of the grant handlers listed in the previous sub-sections.</p><p>Alternatively
create a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java">AccessTokenGrantHandl
 er</a> and register it with AccessTokenService. Additionally, consider providing a
related <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java">AccessTokenGrant</a>
implementation for making it easy for the client code to request a new access token with this
custom grant.</p><h2 id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized
access tokens</h2><p>When working with the flows which require the end users/resource
owners explicitly authorizing clients (for example, as in the case of redirection-based flows),
using pre-authorized access tokens is one option to minimize the need for the end-user intervention.
<br clear="none"> OAuthDataProvider is always checked first if the pre-authorized access
token for a given Client exists and if yes then it will be returned immediately, without starting
the authorization process involving the end
  user (as required by some flows).</p><p>Consider providing a user interface
which will let the end users/resource owners to pre-authorize specific clients early. Note,
a CXF service for supporting the users pre-authorizing the clients or revoking the tokens
for some of the clients may be introduced in the future.</p><p>Also note that
using a refresh token grant may further help with minimizing the end user involvement, in
cases when the current access token has expired.</p><h2 id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered
scopes</h2><p>Clients can register custom scopes they will be expected to use
and then avoid specifying the scopes when requesting the code grants or access tokens.<br
clear="none"> Alternatively it makes it easier to support so called wild-card scopes. For
example, a client pre-registers a scope "update" and actually uses an "update-7" scope: Redirection-based
services and access token grants can be configured to do a partial scope match, in this case,
va
 lidate that "update-7" starts from "update"</p><h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a lot
with setting up an OAuth server. As you can see from the above sections, these services rely
on a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a>
implementation.</p><p>The main task of OAuthDataProvider is to persist and generate
access tokens. Additionally, as noted above, AuthorizationCodeDataProvider needs to persist
and remove the code grant registrations. The way it's done is really application-specific.
Consider starting with a basic memory based implementation and then move on to keeping the
data in some DB.</p><p>Note that OAuthDataProvider supports retrieving <a shape="rect"
class="external-link" href="http://svn.a
 pache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a>
instances but it has no methods for creating or removing Clients. The reason for it is that
the process of registering third-party clients is very specific to a particular OAuth2 application,
so CXF does not offer a registration support service and hence OAuthDataProvider has no Client
create/update methods. You will likely need to do something like this:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><pre>&#160;</pre><h5 id="JAX-RSOAuth2-UsingCertificates">Using
Certificates</h5><p>Working with the certificates to encrypt the state is similar
to working with the symmetric keys. Please check the code examples in <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java">EncryptionsUtilsTest</a>.</p><p>One
needs to load a Certificate, use its public key to encrypt and the private key to decrypt.
using the certificate to encrypt the whole serialized token representation might be marginally
slower compared to using the symmetric keys, however given that the sequence is about 300+
characters maximum the performance can be reasonable.</p><h5 id="JAX-RSOAuth2-UsingCertificatesandSecretKeys">Using
Certificates and Secret Keys</h5><p>The other approach is to generate a secret
key, use this key to encrypt the token and then use the certi
 ficate to encrypt the key. The encrypted token and the actual encrypted secret key can be
returned to the client as a token parameter, for example, as a 'key' parameter. This 'key'
parameter will need to be returned to the OAuth2 server, via the HTTP header or the custom
authorization scheme. The data providers using this mechanism will need to implement AccessTokenValidator
and decrypt the encrypted key with the private certificate key, and decrypt the token with
the decrypted secret key. Please check the code example in <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtilsTest.java">EncryptionsUtilsTest</a>.</p><h5
id="JAX-RSOAuth2-EncryptedJWTTokens">Encrypted JWT Tokens</h5><p>JWT Token
can be JWE-encrypted and the encrypted string passed to ServerAccessToken as access token
id parameter.</p><p>See <a shape="rect" href="json-web-tokens.html">JS
 ON Web Tokens</a> wiki page for more information on how to sign and encrypt JSON Web
Tokens.</p><h4 id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If
needed, users can use their own custom token types, with the only restriction that the custom
token type implementations have to extend org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.</p><h4
id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and Audience</h4><p>Starting
from CXF 2.7.7 an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00"
rel="nofollow">audience</a> parameter is supported during the client token requests.</p><h3
id="JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</h3><p>The
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a>
is a
  CXF specific OAuth2 service for accepting the remote access token validation requests. Typically,
OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party client
and will ask AccessTokenValidationService to return the information relevant to the current
access token, before setting up a security context. More on it below.</p><h2 id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java">TokenRevocationService</a>
is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh
tokens they own themselves, please see <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09"
rel="nofollow">OAuth2 Token Revocation Draft</a> for more information.</p><p>TokenRevocationServic
 e and AccessTokenService share the same code which enforces that the clients have been correctly
authenticated.</p><p>Note, OAuthDataProvider implementations processing a revocation
request should simply ignore the invalid tokens as recommended by the specification which
will let TokenRevocationService return HTTP 200 which is done to minimize a possible attack
surface (specifically for bad clients not to see if their requests failed or succeeded) and
throw the exceptions only if the token revocation feature is not currently supported.</p><h2
id="JAX-RSOAuth2-SupportedGrants">Supported Grants</h2><p>The following subsections
briefly describe how the well-known grant types can be supported on the server side. Please
also check the "Client Side Support" section on how to use the related <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java">Ac
 cessTokenGrant</a> implementations to request the access tokens.</p><h3 id="JAX-RSOAuth2-AuthorizationCode">Authorization
Code</h3><p>As described above, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a>
service and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Authorization Code flow.</p><p>The
code that the client receives in the end of the redirection process will need to be exchanged
for a new access token with AccessTokenService. CXF-based clients can use a helper <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/as
 f/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit
grant is supported the same way Authorization Code grant is except that the response to the
client running within a web browser is formatted differently, using URI fragments.</p><p><a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a>
service and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a>
data provider can support a redirection-bas
 ed Implicit flow.</p><p>Note the only difference is the use of ImplicitGrantService
instead of AuthorizationCodeGrantService.</p><p>Also note that when an Implicit
grant client (running within a browser) replaces the code grant for a new access token and
tries to access the end user's resource, Cross Origin Resource Sharing (CORS) support will
most likely need to be enabled on the end user's resource server.<br clear="none"> The
simplest approach is to register a CXF <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-cors.html">CORS
filter</a>, right before OAuth2 filter (see on it below).</p><p>Starting
from CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered Client
id to the browser-hosted client. This is recommended so that the client can verify that the
token is meant to be delivered to this client.</p><h3 id="JAX-RSOAuth2-ClientCredentials">Client
Credentials</h3><p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos
 /asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java">ClientCredentialsGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients
can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java">ClientCredentialsGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource
Owner Password Credentials</h3><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java">ResourceOwnerGrantHandler</a>
handler with AccessTokenService for this grant be supp
 orted.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java">ResourceOwnerGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-RefreshToken">Refresh
Token</h3><p>The client can issue a refresh token grant if the current access
token it owns has expired or been revoked and the refresh token was issued alongside with
the access token which is now invalid and get the new, 'refreshed' access token. This can
allow the client to avoid seeking a new authorization approval from the end user.</p><p>Register
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java">RefreshTokenGrantHandler</a>
handler with Acc
 essTokenService for this grant be supported. Note this grant handler is only useful for refreshing
the existing access token, so one or more of the other grant handlers (Authorization Code,
Implicit, etc) will also have to be registered with AccessTokenService.</p><p>CXF-based
clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrant.java">RefreshTokenGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-Assertions">Assertions</h3><p>SAML2
Bearer and JWT assertions can be used as token grants.</p><p>Please see <a
shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section
for more information.</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If
you need to customize the way the well-known grant requests are handled then consider extending
one of
  the grant handlers listed in the previous sub-sections.</p><p>Alternatively
create a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java">AccessTokenGrantHandler</a>
and register it with AccessTokenService. Additionally, consider providing a related <a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java">AccessTokenGrant</a>
implementation for making it easy for the client code to request a new access token with this
custom grant.</p><h2 id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized
access tokens</h2><p>When working with the flows which require the end users/resource
owners explicitly authorizing clients (for example, as in the case of redirection-based flows),
using pre
 -authorized access tokens is one option to minimize the need for the end-user intervention.
<br clear="none"> OAuthDataProvider is always checked first if the pre-authorized access
token for a given Client exists and if yes then it will be returned immediately, without starting
the authorization process involving the end user (as required by some flows).</p><p>Consider
providing a user interface which will let the end users/resource owners to pre-authorize specific
clients early. Note, a CXF service for supporting the users pre-authorizing the clients or
revoking the tokens for some of the clients may be introduced in the future.</p><p>Also
note that using a refresh token grant may further help with minimizing the end user involvement,
in cases when the current access token has expired.</p><h2 id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered
scopes</h2><p>Clients can register custom scopes they will be expected to use
and then avoid specifying the scopes when requesting the cod
 e grants or access tokens.<br clear="none"> Alternatively it makes it easier to support
so called wild-card scopes. For example, a client pre-registers a scope "update" and actually
uses an "update-7" scope: Redirection-based services and access token grants can be configured
to do a partial scope match, in this case, validate that "update-7" starts from "update"</p><h2
id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</h2><p>Using
CXF OAuth service implementations will help a lot with setting up an OAuth server. As you
can see from the above sections, these services rely on a custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a>
implementation.</p><p>The main task of OAuthDataProvider is to persist and generate
access tokens. Additionally, as noted above, AuthorizationCodeDataProvider need
 s to persist and remove the code grant registrations. The way it's done is really application-specific.
Consider starting with a basic memory based implementation and then move on to keeping the
data in some DB.</p><p>Note that OAuthDataProvider supports retrieving <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a>
instances but it has no methods for creating or removing Clients. The reason for it is that
the process of registering third-party clients is very specific to a particular OAuth2 application,
so CXF does not offer a registration support service and hence OAuthDataProvider has no Client
create/update methods. You will likely need to do something like this:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[public
class CustomOAuthProvider implements OAuthDataProvider {
    public Client registerClient(String applicationName, String applicationURI, ...) {}
    public void removeClient(String cliendId) {}

Added: websites/production/cxf/content/docs/json-web-tokens.html
==============================================================================
--- websites/production/cxf/content/docs/json-web-tokens.html (added)
+++ websites/production/cxf/content/docs/json-web-tokens.html Tue May 20 16:46:49 2014
@@ -0,0 +1,157 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<html>
+  <head>
+
+<link type="text/css" rel="stylesheet" href="/resources/site.css">
+<script src='/resources/space.js'></script>
+
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture,
web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support,
integration standards, application integration, middleware, software, solutions, services,
CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework - JSON Web Tokens">
+
+
+
+
+    <title>
+Apache CXF -- JSON Web Tokens
+    </title>
+  </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+  <tr>
+    <td id="cell-0-0" colspan="2">&nbsp;</td>
+    <td id="cell-0-1">&nbsp;</td>
+    <td id="cell-0-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-1-0">&nbsp;</td>
+    <td id="cell-1-1">&nbsp;</td>
+    <td id="cell-1-2">
+      <!-- Banner -->
+<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0"
width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight:
bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img
border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
+</td></tr></table></div></div>
+      <!-- Banner -->
+      <div id="top-menu">
+        <table border="0" cellpadding="1" cellspacing="0" width="100%">
+          <tr>
+            <td>
+              <div align="left">
+                <!-- Breadcrumbs -->
+<a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="restful-services.html">RESTful
Services</a>&nbsp;&gt;&nbsp;<a href="jax-rs.html">JAX-RS</a>&nbsp;&gt;&nbsp;<a
href="jax-rs-oauth2.html">JAX-RS OAuth2</a>&nbsp;&gt;&nbsp;<a href="json-web-tokens.html">JSON
Web Tokens</a>
+                <!-- Breadcrumbs -->
+              </div>
+            </td>
+            <td>
+              <div align="right">
+                <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="http://cxf.apache.org/download.html">Download</a>
| <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
+                <!-- Quicklinks -->
+              </div>
+            </td>
+          </tr>
+        </table>
+      </div>
+    </td>
+    <td id="cell-1-3">&nbsp;</td>
+    <td id="cell-1-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-2-0" colspan="2">&nbsp;</td>
+    <td id="cell-2-1">
+      <table>
+        <tr valign="top">
+          <td height="100%">
+            <div id="wrapper-menu-page-right">
+              <div id="wrapper-menu-page-top">
+                <div id="wrapper-menu-page-bottom">
+                  <div id="menu-page">
+                    <!-- NavigationBar -->
+<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a
shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect"
href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a
shape="rect" href="transports.html">Transports</a></li><li><a shape="rect"
href="configuration.html">Configuration</a></li><li><a shape="rect"
href="debugging-and-logging.html">Debugging and Logging</a></li><li><a
shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful
Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL
Bindings</a></li><li><a shape="rect" href="service-routing.html">Service
Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic
Languages</a></li><li><a shape="rect" href="ws-support.html">WS-*
Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced
Integration</a></li><li><a shape
 ="rect" href="deployment.html">Deployment</a></li><li><a shape="rect"
href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul
class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded"
method="get" id="cse-search-box" action="http://www.google.com/cse">
+  <div>
+    <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+    <input type="hidden" name="ie" value="UTF-8">
+    <input type="text" name="q" size="21">
+    <input type="submit" name="sa" value="Search">
+  </div>
+</form>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script><hr><ul
class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API
2.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest-3.0.x/">API
3.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF
Website</a></li></ul></div>
+                    <!-- NavigationBar -->
+                  </div>
+              </div>
+            </div>
+          </div>
+         </td>
+         <td height="100%">
+           <!-- Content -->
+           <div class="wiki-content">
+<div id="ConfluenceContent"><h1 id="JSONWebTokens-JSONWebTokens">JSON Web Tokens</h1><p>&#160;</p><h1
id="JSONWebTokens-SignedJSONWebTokens">Signed JSON Web Tokens</h1><p>&#160;</p><h1
id="JSONWebTokens-JSONEncryption">JSON Encryption</h1><p>&#160;</p></div>
+           </div>
+           <!-- Content -->
+         </td>
+        </tr>
+      </table>
+   </td>
+   <td id="cell-2-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+   <td id="cell-3-0">&nbsp;</td>
+   <td id="cell-3-1">&nbsp;</td>
+   <td id="cell-3-2">
+     <div id="footer">
+       <!-- Footer -->
+       <div id="site-footer">
+         <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a>
- 
+         (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=41812304">edit
page</a>) 
+	 (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=41812304&amp;showComments=true&amp;showCommentArea=true#addcomment">add
comment</a>)<br>
+	Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
+        All other marks mentioned may be trademarks or registered trademarks of their respective
owners.
+       </div>
+       <!-- Footer -->
+     </div>
+   </td>
+   <td id="cell-3-3">&nbsp;</td>
+   <td id="cell-3-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-4-0" colspan="2">&nbsp;</td>
+    <td id="cell-4-1">&nbsp;</td>
+    <td id="cell-4-2" colspan="2">&nbsp;</td>
+  </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
+document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+



Mime
View raw message