cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6280] Prototyping an Implcit confidenatial grant service which returns a token directly to a JS client which is used by a huna user to copy tokens to confidential clients
Date Wed, 22 Apr 2015 16:32:55 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 03b7d19c8 -> 06b934503


[CXF-6280] Prototyping an Implcit confidenatial grant service which returns a token directly
to a JS client which is used by a huna user to copy tokens to confidential clients


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/06b93450
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/06b93450
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/06b93450

Branch: refs/heads/3.0.x-fixes
Commit: 06b9345031e37084fb0ed44b08cb6c6787ac3886
Parents: 03b7d19
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Wed Apr 22 17:15:39 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Wed Apr 22 17:32:35 2015 +0100

----------------------------------------------------------------------
 .../oauth2/filters/OAuthRequestFilter.java      |  16 +-
 .../services/AbstractImplicitGrantService.java  | 167 +++++++++++++++++++
 .../ImplicitConfidentialGrantService.java       |  51 ++++++
 .../oauth2/services/ImplicitGrantService.java   | 134 +--------------
 .../services/RedirectionBasedGrantService.java  |   4 +-
 .../security/oauth2/utils/OAuthConstants.java   |   4 +
 6 files changed, 240 insertions(+), 136 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/06b93450/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
index fe638be..22af72c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
@@ -28,7 +28,6 @@ import javax.annotation.Priority;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.HttpMethod;
 import javax.ws.rs.Priorities;
-import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
@@ -40,6 +39,7 @@ import javax.ws.rs.ext.Provider;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.security.SimplePrincipal;
 import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
+import org.apache.cxf.jaxrs.utils.ExceptionUtils;
 import org.apache.cxf.jaxrs.utils.FormUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
@@ -71,6 +71,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
     private boolean checkFormData;
     private List<String> requiredScopes = Collections.emptyList();
     private boolean allPermissionsMatch;
+    private boolean blockPublicClients;
     
     public void filter(ContainerRequestContext context) {
         validateRequest(JAXRSUtils.getCurrentMessage());
@@ -111,7 +112,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
             || !requiredScopes.isEmpty() && requiredScopes.size() != matchingPermissions.size())
{
             String message = "Client has no valid permissions";
             LOG.warning(message);
-            throw new WebApplicationException(403);
+            throw ExceptionUtils.toForbiddenException(null, null);
         }
       
         if (accessTokenV.getClientIpAddress() != null) {
@@ -119,9 +120,14 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
             if (remoteAddress == null || accessTokenV.getClientIpAddress().matches(remoteAddress))
{
                 String message = "Client IP Address is invalid";
                 LOG.warning(message);
-                throw new WebApplicationException(403);
+                throw ExceptionUtils.toForbiddenException(null, null);
             }
         }
+        if (blockPublicClients && !accessTokenV.isClientConfidential()) {
+            String message = "Only Confidential Clients are supported";
+            LOG.warning(message);
+            throw ExceptionUtils.toForbiddenException(null, null);
+        }
         
         // Create the security context and make it available on the message
         SecurityContext sc = createSecurityContext(req, accessTokenV);
@@ -273,5 +279,9 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
     public void setAllPermissionsMatch(boolean allPermissionsMatch) {
         this.allPermissionsMatch = allPermissionsMatch;
     }
+
+    public void setBlockPublicClients(boolean blockPublicClients) {
+        this.blockPublicClients = blockPublicClients;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06b93450/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
new file mode 100644
index 0000000..ad09e75
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
@@ -0,0 +1,167 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.services;
+
+import java.net.URI;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
+import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+
+
+public abstract class AbstractImplicitGrantService extends RedirectionBasedGrantService {
+    // For a client to validate that this client is a targeted recipient.
+    private boolean reportClientId;
+    private List<AccessTokenResponseFilter> responseHandlers = new LinkedList<AccessTokenResponseFilter>();
+    
+    protected AbstractImplicitGrantService(String supportedResponseType,
+                                           String supportedGrantType) {
+        super(supportedResponseType, supportedGrantType);
+    }
+    
+    protected Response createGrant(MultivaluedMap<String, String> params,
+                                   Client client,
+                                   String redirectUri,
+                                   List<String> requestedScope,
+                                   List<String> approvedScope,
+                                   UserSubject userSubject,
+                                   ServerAccessToken preAuthorizedToken) {
+        ServerAccessToken token = null;
+        if (preAuthorizedToken == null) {
+            AccessTokenRegistration reg = new AccessTokenRegistration();
+            reg.setClient(client);
+            reg.setGrantType(OAuthConstants.IMPLICIT_GRANT);
+            reg.setSubject(userSubject);
+            reg.setRequestedScope(requestedScope);        
+            if (approvedScope != null && approvedScope.isEmpty()) {
+                // no down-scoping done by a user, all of the requested scopes have been
authorized
+                reg.setApprovedScope(requestedScope);
+            } else {
+                reg.setApprovedScope(approvedScope);
+            }
+            reg.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
+            token = getDataProvider().createAccessToken(reg);
+        } else {
+            token = preAuthorizedToken;
+        }
+        
+        ClientAccessToken clientToken = OAuthUtils.toClientAccessToken(token, isWriteOptionalParameters());
+        processClientAccessToken(clientToken, token);
+   
+        // return the token by appending it as a fragment parameter to the redirect URI
+        
+        StringBuilder sb = getUriWithFragment(redirectUri);
+        
+        sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(clientToken.getTokenKey());
+        String state = params.getFirst(OAuthConstants.STATE);
+        if (state != null) {
+            sb.append("&");
+            sb.append(OAuthConstants.STATE).append("=").append(state);   
+        }
+        sb.append("&")
+            .append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(clientToken.getTokenType());
+        
+        if (isWriteOptionalParameters()) {
+            sb.append("&").append(OAuthConstants.ACCESS_TOKEN_EXPIRES_IN)
+                .append("=").append(clientToken.getExpiresIn());
+            if (!StringUtils.isEmpty(clientToken.getApprovedScope())) {
+                sb.append("&").append(OAuthConstants.SCOPE).append("=")
+                    .append(HttpUtils.queryEncode(clientToken.getApprovedScope()));
+            }
+            for (Map.Entry<String, String> entry : clientToken.getParameters().entrySet())
{
+                sb.append("&").append(entry.getKey()).append("=").append(HttpUtils.queryEncode(entry.getValue()));
+            }
+        }
+        if (token.getRefreshToken() != null) {
+            processRefreshToken(sb, token.getRefreshToken());
+        }
+        if (reportClientId) {
+            sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(client.getClientId());
+        }
+        
+        return Response.seeOther(URI.create(sb.toString())).build();
+    }
+    
+    protected void processRefreshToken(StringBuilder sb, String refreshToken) {
+        LOG.warning("Implicit grant tokens MUST not have refresh tokens, refresh token will
not be reported");
+    }
+
+    protected void processClientAccessToken(ClientAccessToken clientToken, ServerAccessToken
serverToken) {
+        for (AccessTokenResponseFilter filter : responseHandlers) {
+            filter.process(clientToken, serverToken); 
+        }
+    }
+    protected Response createErrorResponse(MultivaluedMap<String, String> params,
+                                          String redirectUri,
+                                          String error) {
+        StringBuilder sb = getUriWithFragment(redirectUri);
+        sb.append(OAuthConstants.ERROR_KEY).append("=").append(error);
+        String state = params.getFirst(OAuthConstants.STATE);
+        if (state != null) {
+            sb.append("&");
+            sb.append(OAuthConstants.STATE).append("=").append(state);   
+        }
+        return Response.seeOther(URI.create(sb.toString())).build();
+    }
+    
+    private StringBuilder getUriWithFragment(String redirectUri) {
+        StringBuilder sb = new StringBuilder();
+        sb.append(redirectUri);
+        sb.append("#");
+        return sb;
+    }
+
+    public void setReportClientId(boolean reportClientId) {
+        this.reportClientId = reportClientId;
+    }
+    
+    public void setResponseFilters(List<AccessTokenResponseFilter> handlers) {
+        this.responseHandlers = handlers;
+    }
+    
+    public void setResponseFilter(AccessTokenResponseFilter responseHandler) {
+        responseHandlers.add(responseHandler);
+    }
+
+    @Override
+    protected boolean canRedirectUriBeEmpty(Client c) {
+        return false;
+    }
+    @Override
+    protected boolean canSupportPublicClient(Client c) {
+        return true;
+    }
+}
+
+

http://git-wip-us.apache.org/repos/asf/cxf/blob/06b93450/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitConfidentialGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitConfidentialGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitConfidentialGrantService.java
new file mode 100644
index 0000000..1847fc7
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitConfidentialGrantService.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.services;
+
+import javax.ws.rs.Path;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+
+
+/**
+ * Redirection-based Implicit Grant Service which returns tokens for the confidential clients
+ * directly to a human user. 
+ */
+@Path("/implicit-confidential")
+public class ImplicitConfidentialGrantService extends AbstractImplicitGrantService {
+
+    public ImplicitConfidentialGrantService() {
+        super(OAuthConstants.TOKEN_RESPONSE_TYPE, OAuthConstants.IMPLICIT_CONFIDENTIAL_GRANT);
+    }
+    
+    @Override
+    protected void processRefreshToken(StringBuilder sb, String refreshToken) {
+        sb.append("&").append(OAuthConstants.REFRESH_TOKEN).append("=").append(refreshToken);
+    }
+    @Override
+    protected boolean canSupportPublicClient(Client c) {
+        return false;
+    }
+    
+    
+}
+
+

http://git-wip-us.apache.org/repos/asf/cxf/blob/06b93450/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
index e0cda91..4101241 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
@@ -19,25 +19,8 @@
 
 package org.apache.cxf.rs.security.oauth2.services;
 
-import java.net.URI;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-
 import javax.ws.rs.Path;
-import javax.ws.rs.core.MultivaluedMap;
-import javax.ws.rs.core.Response;
-
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.jaxrs.utils.HttpUtils;
-import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
-import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
-import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 
 
 /**
@@ -50,124 +33,11 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
  * authorization code or implicit grant.
  */
 @Path("/authorize-implicit")
-public class ImplicitGrantService extends RedirectionBasedGrantService {
-    // For a client to validate that this client is a targeted recipient.
-    private boolean reportClientId;
-    private List<AccessTokenResponseFilter> responseHandlers = new LinkedList<AccessTokenResponseFilter>();
-    
+public class ImplicitGrantService extends AbstractImplicitGrantService {
+
     public ImplicitGrantService() {
         super(OAuthConstants.TOKEN_RESPONSE_TYPE, OAuthConstants.IMPLICIT_GRANT);
     }
-    
-    protected Response createGrant(MultivaluedMap<String, String> params,
-                                   Client client,
-                                   String redirectUri,
-                                   List<String> requestedScope,
-                                   List<String> approvedScope,
-                                   UserSubject userSubject,
-                                   ServerAccessToken preAuthorizedToken) {
-        ServerAccessToken token = null;
-        if (preAuthorizedToken == null) {
-            AccessTokenRegistration reg = new AccessTokenRegistration();
-            reg.setClient(client);
-            reg.setGrantType(OAuthConstants.IMPLICIT_GRANT);
-            reg.setSubject(userSubject);
-            reg.setRequestedScope(requestedScope);        
-            if (approvedScope != null && approvedScope.isEmpty()) {
-                // no down-scoping done by a user, all of the requested scopes have been
authorized
-                reg.setApprovedScope(requestedScope);
-            } else {
-                reg.setApprovedScope(approvedScope);
-            }
-            reg.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
-            token = getDataProvider().createAccessToken(reg);
-        } else {
-            token = preAuthorizedToken;
-        }
-        if (token.getRefreshToken() != null) {
-            LOG.warning("Implicit grant tokens MUST not have refresh tokens, refresh token
will not be reported");
-        }
-        ClientAccessToken clientToken = OAuthUtils.toClientAccessToken(token, isWriteOptionalParameters());
-        processClientAccessToken(clientToken, token);
-   
-        // return the token by appending it as a fragment parameter to the redirect URI
-        
-        StringBuilder sb = getUriWithFragment(redirectUri);
-        
-        sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(clientToken.getTokenKey());
-        String state = params.getFirst(OAuthConstants.STATE);
-        if (state != null) {
-            sb.append("&");
-            sb.append(OAuthConstants.STATE).append("=").append(state);   
-        }
-        sb.append("&")
-            .append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(clientToken.getTokenType());
-        
-        if (isWriteOptionalParameters()) {
-            sb.append("&").append(OAuthConstants.ACCESS_TOKEN_EXPIRES_IN)
-                .append("=").append(clientToken.getExpiresIn());
-            if (!StringUtils.isEmpty(clientToken.getApprovedScope())) {
-                sb.append("&").append(OAuthConstants.SCOPE).append("=")
-                    .append(HttpUtils.queryEncode(clientToken.getApprovedScope()));
-            }
-            for (Map.Entry<String, String> entry : clientToken.getParameters().entrySet())
{
-                sb.append("&").append(entry.getKey()).append("=").append(HttpUtils.queryEncode(entry.getValue()));
-            }
-        }
-        if (reportClientId) {
-            sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(client.getClientId());
-        }
-        
-        return Response.seeOther(URI.create(sb.toString())).build();
-    }
-    protected void processClientAccessToken(ClientAccessToken clientToken, ServerAccessToken
serverToken) {
-        for (AccessTokenResponseFilter filter : responseHandlers) {
-            filter.process(clientToken, serverToken); 
-        }
-    }
-    protected Response createErrorResponse(MultivaluedMap<String, String> params,
-                                           String redirectUri,
-                                           String error) {
-        StringBuilder sb = getUriWithFragment(redirectUri);
-        sb.append(OAuthConstants.ERROR_KEY).append("=").append(error);
-        String state = params.getFirst(OAuthConstants.STATE);
-        if (state != null) {
-            sb.append("&");
-            sb.append(OAuthConstants.STATE).append("=").append(state);   
-        }
-        
-        return Response.seeOther(URI.create(sb.toString())).build();
-    }
-    
-    private StringBuilder getUriWithFragment(String redirectUri) {
-        StringBuilder sb = new StringBuilder();
-        sb.append(redirectUri);
-        sb.append("#");
-        return sb;
-    }
-
-    public void setReportClientId(boolean reportClientId) {
-        this.reportClientId = reportClientId;
-    }
-    
-    public void setResponseFilters(List<AccessTokenResponseFilter> handlers) {
-        this.responseHandlers = handlers;
-    }
-    
-    public void setResponseFilter(AccessTokenResponseFilter responseHandler) {
-        responseHandlers.add(responseHandler);
-    }
-
-    @Override
-    protected boolean canSupportPublicClient(Client c) {
-        return true;
-    }
-    
-    @Override
-    protected boolean canRedirectUriBeEmpty(Client c) {
-        return false;
-    }
-    
 }
 
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/06b93450/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index b7c3385..a6260bd 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -404,7 +404,9 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         return client;
         
     }
-
+    protected String getSupportedGrantType() {
+        return this.supportedGrantType;
+    }
     public void setResourceOwnerNameProvider(ResourceOwnerNameProvider resourceOwnerNameProvider)
{
         this.resourceOwnerNameProvider = resourceOwnerNameProvider;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/06b93450/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
index 945c8a9..9f4a801 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
@@ -48,6 +48,10 @@ public final class OAuthConstants {
     public static final String RESOURCE_OWNER_GRANT = "password";
     public static final String REFRESH_TOKEN_GRANT = "refresh_token";
     
+    // CXF-specific grant
+    // The token is returned directly to a human user who copies it into a confidential client
+    public static final String IMPLICIT_CONFIDENTIAL_GRANT = "urn:ietf:params:oauth:grant-type:implicit-confidential";
+    
     // Well-known token types
     public static final String BEARER_TOKEN_TYPE = "bearer";
     public static final String HAWK_TOKEN_TYPE = "hawk";


Mime
View raw message