Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 69953CA09 for ; Sun, 18 Jan 2015 22:46:48 +0000 (UTC) Received: (qmail 33589 invoked by uid 500); 18 Jan 2015 22:46:50 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 33530 invoked by uid 500); 18 Jan 2015 22:46:50 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 33521 invoked by uid 99); 18 Jan 2015 22:46:50 -0000 Received: from eris.apache.org (HELO hades.apache.org) (140.211.11.105) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 18 Jan 2015 22:46:50 +0000 Received: from hades.apache.org (localhost [127.0.0.1]) by hades.apache.org (ASF Mail Server at hades.apache.org) with ESMTP id 4AA28AC003E for ; Sun, 18 Jan 2015 22:46:50 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r936695 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html docs/jax-rs-oauth2.html Date: Sun, 18 Jan 2015 22:46:50 -0000 To: commits@cxf.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20150118224650.4AA28AC003E@hades.apache.org> Author: buildbot Date: Sun Jan 18 22:46:50 2015 New Revision: 936695 Log: Production update by buildbot for cxf Added: websites/production/cxf/content/docs/jax-rs-jose.html Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/jax-rs-oauth2.html Modified: websites/production/cxf/content/cache/docs.pageCache ============================================================================== Binary files - no diff available. Added: websites/production/cxf/content/docs/jax-rs-jose.html ============================================================================== --- websites/production/cxf/content/docs/jax-rs-jose.html (added) +++ websites/production/cxf/content/docs/jax-rs-jose.html Sun Jan 18 22:46:50 2015 @@ -0,0 +1,182 @@ + + + + + + + + + + + + + + + + + + + + + + + +Apache CXF -- JAX-RS JOSE + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
   
   + + + +
+ + + + + +
+ + + +
+
+ 		  
  + + + + + +
+
+
+
+
+ + + +
+
+
+
+ 		+ +
+

 

+ +

Introduction

CXF 3.0.x implements JOSE.

Maven Dependencies

+ +

 

Jose Overview

JWA Algorithms

JWK Keys

JWS Signature

 

JSON Encryption

JSON Web Tokens

 

JAX-RS Jose Filters

 

OAuth2 and Jose

 

Third-Party Alternatives

Jose4J. Etc.

 

+
+ +
+ 		 
   + +   
   
+ + + + + + + Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html ============================================================================== --- websites/production/cxf/content/docs/jax-rs-oauth2.html (original) +++ websites/production/cxf/content/docs/jax-rs-oauth2.html Sun Jan 18 22:46:50 2015 @@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2

JAX-RS: OAuth2

+/*]]>*/

 
Using Certificates

Working with the certificates to encrypt the state is similar to working with the symmetric keys. Please check the code examples in EncryptionsUtilsTest.

One needs to load a Certificate, use its public key to encrypt and the private key to decrypt. using the certificate to encrypt the whole serialized token representation might be marginally slower compared to using the symmetric keys, however given that the sequence is about 300+ characters maximum the performance can be reasonable.

Using Certificates and Secret Keys

The other approach is to generate a secret key, use this key to encrypt the token and then use the certi ficate to encrypt the key. The encrypted token and the actual encrypted secret key can be returned to the client as a token parameter, for example, as a 'key' parameter. This 'key' parameter will need to be returned to the OAuth2 server, via the HTTP header or the custom authorization scheme. The data providers using this mechanism will need to implement AccessTokenValidator and decrypt the encrypted key with the private certificate key, and decrypt the token with the decrypted secret key. Please check the code example in EncryptionsUtilsTest.

Encrypted JWT Tokens

JWT Token can be JWE-encrypted and the encrypted string passed to ServerAccessToken as access token id parameter.

See JS ON Web Tokens wiki page for more information on how to sign and encrypt JSON Web Tokens.

Custom tokens

If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.

Simple Tokens and Audience

Starting from CXF 2.7.7 an audience parameter is supported during the client token requests.

AccessTokenValidationService

The AccessTokenValidationService is a CXF specific OAuth2 service for accepting the remote access token validation requests. Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party client and will ask AccessTokenValidationService to return the information relevant to the current access token, before setting up a security context. More on it below.

TokenRevocationService

TokenRevocationService is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh tokens they own themselves, please see OAuth2 Token Revocation Draft for more information.

TokenRevocationServic e and AccessTokenService share the same code which enforces that the clients have been correctly authenticated.

Note, OAuthDataProvider implementations processing a revocation request should simply ignore the invalid tokens as recommended by the specification which will let TokenRevocationService return HTTP 200 which is done to minimize a possible attack surface (specifically for bad clients not to see if their requests failed or succeeded) and throw the exceptions only if the token revocation feature is not currently supported.

Supported Grants

The following subsections briefly describe how the well-known grant types can be supported on the server side. Please also check the "Client Side Support" section on how to use the related Ac cessTokenGrant implementations to request the access tokens.

Authorization Code

As described above, AuthorizationCodeGrantService service and AuthorizationCodeDataProvider data provider can support a redirection-based Authorization Code flow.

The code that the client receives in the end of the redirection process will need to be exchanged for a new access token with AccessTokenService. CXF-based clients can use a helper AuthorizationCodeGrant bean to request a new access token with OAuthClientUtils.

Implicit

Implicit grant is supported the same way Authorization Code grant is except that the response to the client running within a web browser is formatted differently, using URI fragments.

ImplicitGrantService service and AuthorizationCodeDataProvider data provider can support a redirection-bas ed Implicit flow.

Note the only difference is the use of ImplicitGrantService instead of AuthorizationCodeGrantService.

Also note that when an Implicit grant client (running within a browser) replaces the code grant for a new access token and tries to access the end user's resource, Cross Origin Resource Sharing (CORS) support will most likely need to be enabled on the end user's resource server.
The simplest approach is to register a CXF CORS filter, right before OAuth2 filter (see on it below).

Starting from CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered Client id to the browser-hosted client. This is recommended so that the client can verify that the token is meant to be delivered to this client.

Client Credentials

Register ClientCredentialsGrantHandler handler with AccessTokenService for this grant be supported.

CXF-based clients can use a helper ClientCredentialsGrant bean to request a new access token with OAuthClientUtils.

Resource Owner Password Credentials

Register ResourceOwnerGrantHandler handler with AccessTokenService for this grant be supp orted.

CXF-based clients can use a helper ResourceOwnerGrant bean to request a new access token with OAuthClientUtils.

Refresh Token

The client can issue a refresh token grant if the current access token it owns has expired or been revoked and the refresh token was issued alongside with the access token which is now invalid and get the new, 'refreshed' access token. This can allow the client to avoid seeking a new authorization approval from the end user.

Register RefreshTokenGrantHandler handler with Acc essTokenService for this grant be supported. Note this grant handler is only useful for refreshing the existing access token, so one or more of the other grant handlers (Authorization Code, Implicit, etc) will also have to be registered with AccessTokenService.

CXF-based clients can use a helper RefreshTokenGrant bean to request a new access token with OAuthClientUtils.

Assertions

SAML2 Bearer and JWT assertions can be used as token grants.

Please see JAXRS OAuth2 Assertions section for more information.

Custom Grants

If you need to customize the way the well-known grant requests are handled then consider extending one of the grant handlers listed in the previous sub-sections.

Alternatively create a custom AccessTokenGrantHandler and register it with AccessTokenService. Additionally, consider providing a related AccessTokenGrant implementation for making it easy for the client code to request a new access token with this custom grant.

Redirection Flow Filters

AuthorizationCodeRequestFilter implementations can be registered with AuthorizationCodeService in order to pre-process code requests. For example, JwtRequestCodeFilter can be used to process JWS-signed or JWE-encrypted code requests.

AuthorizationCodeResponseFilter implementations can be registered with Authori zationCodeService in order to post-process code responses.

AccessTokenResponse Filters

AccessTokenResponseFilter implementations can be registered with AccessTokenService in order to post-process access token responses. For example,  OIDC id_token can be added to a response with a filter. Filters can also calculate an access token response signature, etc.

PreAuthorized access tokens

When working with the flows which require the end users/resource owners explicitly authorizing clients (for example, as in the case of redirection-based flows), using pre-authorized access tokens is one option to minimize the need for the end-user intervention.
OAuthDataProvider is always checked first if the pre-authorized access token for a given Client exists and if yes then it will be returned immediately, without starting the authorization process involving the end user (as required by some flows).

Consider providing a user interface which will let the end users/resource owners to pre-authorize specific clients early. Note, a CXF service for supporting the users pre-authorizing the clients or revoking the tokens for some of the clients may be introduced in the future.

Also note that using a refresh token grant may further help with minimizing the end user involvement, in cases when the curre nt access token has expired.

Pre-registered scopes

Clients can register custom scopes they will be expected to use and then avoid specifying the scopes when requesting the code grants or access tokens.
Alternatively it makes it easier to support so called wild-card scopes. For example, a client pre-registers a scope "update" and actually uses an "update-7" scope: Redirection-based services and access token grants can be configured to do a partial scope match, in this case, validate that "update-7" starts from "update"

Writing OAuthDataProvider

Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom OAuthDataProvider implementation.

The main task of OAuthDataProvider is to persist and generate access tokens. Additionally, as noted above, AuthorizationCodeDataProvider needs to persist and remove the code grant registrations. The way it's done is really application-specific. Consider starting with a basic memory based implementation and then move on to keeping the data in some DB.

Note that OAuthDataProvider supports retrieving Client instances but it has no methods for creating or removing Clients. The reason for it is that the process of registering third-party clients is very specific to a particular OAuth2 application, so CXF does not offer a registration support service and hence OAuthDataProvider has no Client create/update me thods. You will likely need to do something like this:

+
 
Using Certificates

Working with the certificates to encrypt the state is similar to working with the symmetric keys. Please check the code examples in EncryptionsUtilsTest.

One needs to load a Certificate, use its public key to encrypt and the private key to decrypt. using the certificate to encrypt the whole serialized token representation might be marginally slower compared to using the symmetric keys, however given that the sequence is about 300+ characters maximum the performance can be reasonable.

Using Certificates and Secret Keys

The other approach is to generate a secret key, use this key to encrypt the token and then use the certi ficate to encrypt the key. The encrypted token and the actual encrypted secret key can be returned to the client as a token parameter, for example, as a 'key' parameter. This 'key' parameter will need to be returned to the OAuth2 server, via the HTTP header or the custom authorization scheme. The data providers using this mechanism will need to implement AccessTokenValidator and decrypt the encrypted key with the private certificate key, and decrypt the token with the decrypted secret key. Please check the code example in EncryptionsUtilsTest.

Encrypted JWT Tokens

JWT Token can be JWE-encrypted and the encrypted string passed to ServerAccessToken as access token id parameter.

See JAX-RS Jose wiki page for more information on how to sign and encrypt JSON Web Tokens.

Custom tokens

If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.

Simple Tokens and Audience

Starting from CXF 2.7.7 an audience parameter is supported during the client token requests.

AccessTokenValidationService

The AccessTokenValidationService is a CXF spe cific OAuth2 service for accepting the remote access token validation requests. Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party client and will ask AccessTokenValidationService to return the information relevant to the current access token, before setting up a security context. More on it below.

TokenRevocationService

TokenRevocationService is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh tokens they own themselves, please see OAuth2 Token Revocation Draft for more information.

TokenRevocationService and Ac cessTokenService share the same code which enforces that the clients have been correctly authenticated.

Note, OAuthDataProvider implementations processing a revocation request should simply ignore the invalid tokens as recommended by the specification which will let TokenRevocationService return HTTP 200 which is done to minimize a possible attack surface (specifically for bad clients not to see if their requests failed or succeeded) and throw the exceptions only if the token revocation feature is not currently supported.

Supported Grants

The following subsections briefly describe how the well-known grant types can be supported on the server side. Please also check the "Client Side Support" section on how to use the related AccessToke nGrant implementations to request the access tokens.

Authorization Code

As described above, AuthorizationCodeGrantService service and AuthorizationCodeDataProvider data provider can support a redirection-based Authorization Code flow.

The code that the client receives in the end of the redirection process will need to be exchanged for a new access token with AccessTokenService. CXF-based clients can use a helper AuthorizationCodeGrant bean to request a new access token with OAuthClientUtils.

Implicit

Implicit grant is supported the same way Authorization Code grant is except that the response to the client running within a web browser is formatted differently, using URI fragments.

ImplicitGrantService service and AuthorizationCodeDataProvider data provider can support a redirection-based Impli cit flow.

Note the only difference is the use of ImplicitGrantService instead of AuthorizationCodeGrantService.

Also note that when an Implicit grant client (running within a browser) replaces the code grant for a new access token and tries to access the end user's resource, Cross Origin Resource Sharing (CORS) support will most likely need to be enabled on the end user's resource server.
The simplest approach is to register a CXF CORS filter, right before OAuth2 filter (see on it below).

Starting from CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered Client id to the browser-hosted client. This is recommended so that the client can verify that the token is meant to be delivered to this client.

Client Credentials

Register ClientCredentialsGrantHandler handler with AccessTokenService for this grant be supported.

CXF-based clients can use a helper ClientCredentialsGrant bean to request a new access token with OAuthClientUtils.

Resource Owner Password Credentials

Register ResourceOwnerGrantHandler handler with AccessTokenService for this grant be supported.

CXF-based clients can use a helper ResourceOwnerGrant bean to request a new access token with OAuthClientUtils.

Refresh Token

The client can issue a refresh token grant if the current access token it owns has expired or been revoked and the refresh token was issued alongside with the access token which is now invalid and get the new, 'refreshed' access token. This can allow the client to avoid seeking a new authorization approval from the end user.

Register RefreshTokenGrantHandler handler with AccessToken Service for this grant be supported. Note this grant handler is only useful for refreshing the existing access token, so one or more of the other grant handlers (Authorization Code, Implicit, etc) will also have to be registered with AccessTokenService.

CXF-based clients can use a helper RefreshTokenGrant bean to request a new access token with OAuthClientUtils.

Assertions

SAML2 Bearer and JWT assertions can be used as token grants.

Please see JAXRS OAuth2 Assertions section for more information.

Custom Grants

If you need to customize the way the well-known grant requests are handled then consider extending one of the gra nt handlers listed in the previous sub-sections.

Alternatively create a custom AccessTokenGrantHandler and register it with AccessTokenService. Additionally, consider providing a related AccessTokenGrant implementation for making it easy for the client code to request a new access token with this custom grant.

Redirection Flow Filters

AuthorizationCodeRequestFilter implementations can be registered with AuthorizationCodeService in order to pre-process code requests. For example, JwtRequestCodeFilter can be used to process JWS-signed or JWE-encrypted code requests.

AuthorizationCodeResponseFilter implementations can be registered with AuthorizationCo deService in order to post-process code responses.

AccessTokenResponse Filters

AccessTokenResponseFilter implementations can be registered with AccessTokenService in order to post-process access token responses. For example,  OIDC id_token can be added to a response with a filter. Filters can also calculate an access token response signature, etc.

PreAuthorized access tokens

When working with the flows which require the end users/resource owners explicitly authorizing clients (for example, as in the case of redirection-based flows), using pre-authorized access tokens is one option to minimize the need for the end-user intervention.
OAuthDataProvider is always checked first if the pre-authorized access token for a given Client exists and if yes then it will be returned immediately, without starting the authorization process involving the end user (as required by some flows).

Consider providing a user interface which will let the end users/resource owners to pre-authorize specific clients early. Note, a CXF service for supporting the users pre-authorizing the clients or revoking the tokens for some of the clients may be introduced in the future.

Also note that using a refresh token grant may further help with minimizing the end user involvement, in cases when the current acces s token has expired.

Pre-registered scopes

Clients can register custom scopes they will be expected to use and then avoid specifying the scopes when requesting the code grants or access tokens.
Alternatively it makes it easier to support so called wild-card scopes. For example, a client pre-registers a scope "update" and actually uses an "update-7" scope: Redirection-based services and access token grants can be configured to do a partial scope match, in this case, validate that "update-7" starts from "update"

Writing OAuthDataProvider

Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom OAuthDataProvider implementation.

The main task of OAuthDataProvider is to persist and generate access tokens. Additionally, as noted above, AuthorizationCodeDataProvider needs to persist and remove the code grant registrations. The way it's done is really application-specific. Consider starting with a basic memory based implementation and then move on to keeping the data in some DB.

Note that OAuthDataProvider supports retrieving Client instances but it has no methods for creating or removing Clients. The reason for it is that the process of registering third-party clients is very specific to a particular OAuth2 application, so CXF does not offer a registration support service and hence OAuthDataProvider has no Client create/update methods. Y ou will likely need to do something like this:

-

OAuth2 and JOSE

TODO

Design considerations

This section will talk about various design considerations one need to take into account when deploying OAuth-based solutions.

Controlling the Access to Resource Server

One of the most important issues one need to resolve is how to partition a URI space of the resource server application.

We have two different parties trying to access it, the end users which access the resource server to get to the resources which they own and 3rd party clients which have been authorized by the end users to access some of their resources.

In the former case the way the authentication is managed is completely up to the resource server application: basic authentication, two-way TLS, OpenId (more on it below), you name it.

In the latter case an OAuth filter must enforc e that the 3rd party client has been registered using the provided client key and that it has a valid access token which represents the end user's approval.

Letting both parties access the resource server via the same URI(s) complicates the life for the security filters but all the parties are only aware of the single resource server URI which all of them will use.

Providing different access points to end users and clients may significantly simplify the authentication process - the possible downside is that multiple access points need to be maintained by the resource server.

Both options are discussed next.

Sharing the same access path between end users and clients

The first problem which needs to be addressed is how to distinguish end users from third-party clients and get both parties authenticated as required.
Perhaps the simplest option is to extend a CXF OAuth2 f ilter (JAX-RS or servlet one), check Authorization header, if it is OAuth2 then delegate to the superclass, alternatively - proceed with authenticating the end users:

+

OAuth2 and JOSE

See JAX-RS Jose wiki page for the information about JOSE and how it is supported in CXF,

//TODO: describe how Jose is used in CXF OAuth2

 

OAuth2 and OIDC

 

//TODO

Design considerations

This section will talk about various design considerations one need to take into account when deploying OAuth-based solutions.

Controlling the Access to Resource Server

One of the most important issues one need to resolve is how to partition a URI space of the resource server application.

We have two different parties trying to access it, the end users which access the resource server to get to the resources which they own and 3rd party clients which have been authorized by the end users t o access some of their resources.

In the former case the way the authentication is managed is completely up to the resource server application: basic authentication, two-way TLS, OpenId (more on it below), you name it.

In the latter case an OAuth filter must enforce that the 3rd party client has been registered using the provided client key and that it has a valid access token which represents the end user's approval.

Letting both parties access the resource server via the same URI(s) complicates the life for the security filters but all the parties are only aware of the single resource server URI which all of them will use.

Providing different access points to end users and clients may significantly simplify the authentication process - the possible downside is that multiple access points need to be maintained by the resource server.

Both options are discussed next.

Sharing the same access path between end users and clients

The first problem which needs to be addressed is how to distinguish end users from third-party clients and get both parties authenticated as required.
Perhaps the simplest option is to extend a CXF OAuth2 filter (JAX-RS or servlet one), check Authorization header, if it is OAuth2 then delegate to the superclass, alternatively - proceed with authenticating the end users:

-

Let's assume that the 3rd party client has been allowed to read the public user Calendars at "/calendar/{id}" only, how to make sure that the client won't try to:
1. update the calendar available at the same path
2. read the private Calendars available at "/calendar/{id}/private"

As noted above, OAuthPermission has an optional URIs property. Thus one way to solve the problem with the private calendar is to add, say, a uri "/calendar/{id}" or "/calendar/1" (etc) property to OAuthPermission (representing a scope like "readCalendar") and the OAuth filter will make sure no subresources beyond "/calendar/{id}" can be accessed. Note, adding a "*" at the end of a given URI property, for example, "/a*" will let the client access "/a", "/ a/b", etc.

Solving the problem with preventing the update can be easily solved by adding an httpVerb property to a given OAuthPermission.

One more option is to rely on the role-based access control and have @RolesAllowed allocated such that only users in roles like "client" or "enduser" can invoke the getCalendar() method and let only those in the "enduser" role access getPrivateCalendar() and updateCalendar(). OAuthPermission can help here too as described in the section on using OAuth fiters.

Providing different access points to end users and clients

Rather than letting both the end users and 3rd party clients use the same URI such as "http://myapp.com/service/calendars/{id}", one may want to introduce two URIs, one for end users and one for third-party clients, for example, "http://myapp.com/service/calendars/{id}" - for endusers, "http://myapp.com/partners/calendars/{id}" - for the 3rd party clients and deploy 2 jaxrs endpoints, where one is protected by the security filter checking the end users, and the one - by OAuth filters.

Additionally the endpoint managing the 3rd party clients will deploy a resource which will offer a resticted URI space support. For example, if the application will only allow 3rd party clients to read calendars then this resource will only have a method supporting @GET and "/calendar/{id}".

Single Sign On

When dealing with authenticating the end users, having an SSO solution in place is very handy. This is because the end user interacts with both the third-party and its resource server web applications and is also redirected from the client application to the resource server and back again. Additionally, the end user may need to authenticate with Authorization service if it is not collocated with the application endpoints. OpenID or say a WebBrowser SSO profile can help.

CXF 2.6.1 provides an initial support for a SAML2 SSO profile. This will make it easier to minimize a number of sign ins to a single attempt and run OAuth2 Authorization servers separately from the application endpoints.

+

Let's assume that the 3rd party client has been allowed to read the public user Calendars at "/calendar/{id}" only, how to make sure that the client won't try to:
1. update the calendar available at the same path
2. read the private Calendars available at "/calendar/{id}/private"

As noted above, OAuthPermission has an optional URIs property. Thus one way to solve the problem with the private calendar is to add, say, a uri "/calendar/{id}" or "/calendar/1" (etc) property to OAuthPermission (representing a scope like "readCalendar") and the OAuth filter will make sure no subresources beyond "/calendar/{id}" can be accessed. Note, adding a "*" at the end of a given URI property, for example, "/a*" will let the client access "/a", "/ a/b", etc.

Solving the problem with preventing the update can be easily solved by adding an httpVerb property to a given OAuthPermission.

One more option is to rely on the role-based access control and have @RolesAllowed allocated such that only users in roles like "client" or "enduser" can invoke the getCalendar() method and let only those in the "enduser" role access getPrivateCalendar() and updateCalendar(). OAuthPermission can help here too as described in the section on using OAuth fiters.

Providing different access points to end users and clients

Rather than letting both the end users and 3rd party clients use the same URI such as "http://myapp.com/service/calendars/{id}", one may want to introduce two URIs, one for end users and one for third-party clients, for example, "http://myapp.com/service/calendars/{id}" - for endusers, "http://myapp.com/partners/calendars/{id}" - for the 3rd party clients and deploy 2 jaxrs endpoints, where one is protected by the security filter checking the end users, and the one - by OAuth filters.

Additionally the endpoint managing the 3rd party clients will deploy a resource which will offer a resticted URI space support. For example, if the application will only allow 3rd party clients to read calendars then this resource will only have a method supporting @GET and "/calendar/{id}".

Single Sign On

When dealing with authenticating the end users, having an SSO solution in place is very handy. This is because the end user interacts with both the third-party and its resource server web applications and is also redirected from the client application to the resource server and back again. Additionally, the end user may need to authenticate with Authorization service if it is not collocated with the application endpoints. OpenID or say a WebBrowser SSO profile can help.

CXF 2.6.1 provides an initial support for a SAML2 SSO profile. This will make it easier to minimize a number of sign ins to a single attempt and run OAuth2 Authorization servers separately from the application endpoints.

The work started in CXF 3.1.0 for integrating with OpenId Connect.