cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6753] OAuth2 audience related changes, more likely to follow
Date Thu, 21 Jan 2016 13:07:20 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes e0b56c9e6 -> 73cce96fa


[CXF-6753] OAuth2 audience related changes, more likely to follow


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/73cce96f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/73cce96f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/73cce96f

Branch: refs/heads/3.1.x-fixes
Commit: 73cce96fa123c8a4245269157692fb6f596dfc9b
Parents: e0b56c9
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Jan 21 13:02:09 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Jan 21 13:07:00 2016 +0000

----------------------------------------------------------------------
 .../oauth2/common/AccessTokenRegistration.java  | 13 +++--
 .../oauth2/common/AccessTokenValidation.java    | 20 ++++----
 .../rs/security/oauth2/common/OAuthContext.java | 12 ++---
 .../oauth2/common/ServerAccessToken.java        | 14 +++---
 .../oauth2/common/TokenIntrospection.java       |  7 +--
 .../filters/AccessTokenIntrospectionClient.java |  2 +-
 .../oauth2/filters/OAuthRequestFilter.java      | 52 +++++++++++++++-----
 .../oauth2/grants/AbstractGrantHandler.java     | 34 +++++++++----
 .../code/AuthorizationCodeGrantHandler.java     | 30 ++++++++---
 .../code/ServerAuthorizationCodeGrant.java      |  9 ----
 .../provider/AbstractOAuthDataProvider.java     |  6 +--
 .../oauth2/provider/OAuthJSONProvider.java      | 35 +++++++++++--
 .../services/AbstractAccessTokenValidator.java  | 19 +------
 .../services/AbstractImplicitGrantService.java  |  3 +-
 .../oauth2/services/AccessTokenService.java     | 31 ++----------
 .../services/RedirectionBasedGrantService.java  |  8 ++-
 .../services/TokenIntrospectionService.java     |  5 +-
 .../rs/security/oauth2/utils/OAuthUtils.java    | 12 ++++-
 .../utils/crypto/ModelEncryptionSupport.java    |  4 +-
 .../oauth2/utils/crypto/CryptoUtilsTest.java    |  4 +-
 .../utils/crypto/EncryptingDataProvider.java    |  2 +-
 21 files changed, 186 insertions(+), 136 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
index db443da..a4a4a2c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
@@ -30,7 +30,7 @@ public class AccessTokenRegistration {
     private List<String> approvedScope = new LinkedList<String>();
     private String grantType;
     private UserSubject subject;
-    private String audience;
+    private List<String> audiences = new LinkedList<String>();
     private String nonce;
     private String clientCodeVerifier;
     
@@ -115,14 +115,14 @@ public class AccessTokenRegistration {
         return grantType;
     }
 
-    public String getAudience() {
-        return audience;
+    public List<String> getAudiences() {
+        return audiences;
     }
 
-    public void setAudience(String audience) {
-        this.audience = audience;
+    public void setAudiences(List<String> audiences) {
+        this.audiences = audiences;
     }
-
+    
     public String getClientCodeVerifier() {
         return clientCodeVerifier;
     }
@@ -138,5 +138,4 @@ public class AccessTokenRegistration {
     public void setNonce(String nonce) {
         this.nonce = nonce;
     }
-    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
index 508b37f..6a33e2b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
@@ -55,7 +55,7 @@ public class AccessTokenValidation {
     private long tokenLifetime;
     private UserSubject tokenSubject;
     private List<OAuthPermission> tokenScopes = new LinkedList<OAuthPermission>();
-    private String audience;
+    private List<String> audiences = new LinkedList<String>();
     private String clientCodeVerifier;
     private Map<String, String> extraProps = new HashMap<String, String>();
     
@@ -76,7 +76,7 @@ public class AccessTokenValidation {
         
         this.tokenSubject = token.getSubject();
         this.tokenScopes = token.getScopes();
-        this.audience = token.getAudience();
+        this.setAudiences(token.getAudiences());
         this.clientCodeVerifier = token.getClientCodeVerifier();
     }
     
@@ -137,14 +137,6 @@ public class AccessTokenValidation {
         this.tokenType = tokenType;
     }
 
-    public String getAudience() {
-        return audience;
-    }
-
-    public void setAudience(String audience) {
-        this.audience = audience;
-    }
-
     public String getClientIpAddress() {
         return clientIpAddress;
     }
@@ -183,5 +175,13 @@ public class AccessTokenValidation {
     public void setInitialValidationSuccessful(boolean localValidationSuccessful) {
         this.initialValidationSuccessful = localValidationSuccessful;
     }
+
+    public List<String> getAudiences() {
+        return audiences;
+    }
+
+    public void setAudiences(List<String> audiences) {
+        this.audiences = audiences;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
index 492ca25..6e83e08 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
@@ -35,7 +35,7 @@ public class OAuthContext {
     private String clientId;
     private boolean isClientConfidential;
     private String tokenKey;
-    private String tokenAudience;
+    private List<String> tokenAudiences;
     private String[] tokenRequestParts;
     
     public OAuthContext(UserSubject resourceOwnerSubject,
@@ -113,14 +113,14 @@ public class OAuthContext {
         this.tokenKey = tokenKey;
     }
 
-    public String getTokenAudience() {
-        return tokenAudience;
+    public List<String> getTokenAudiences() {
+        return tokenAudiences;
     }
 
-    public void setTokenAudience(String tokenAudience) {
-        this.tokenAudience = tokenAudience;
+    public void setTokenAudiences(List<String> audiences) {
+        this.tokenAudiences = audiences;
     }
-
+    
     public String[] getTokenRequestParts() {
         return tokenRequestParts;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
index 7c64a51..89220f3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
@@ -35,7 +35,7 @@ public abstract class ServerAccessToken extends AccessToken {
     private Client client;
     private List<OAuthPermission> scopes = new LinkedList<OAuthPermission>();
     private UserSubject subject;
-    private String audience;
+    private List<String> audiences = new LinkedList<String>();
     private String clientCodeVerifier;
     private String nonce;
     
@@ -69,7 +69,7 @@ public abstract class ServerAccessToken extends AccessToken {
         this.client = token.getClient();
         this.grantType = token.getGrantType();
         this.scopes = token.getScopes();
-        this.audience = token.getAudience();
+        this.audiences = token.getAudiences();
         this.subject = token.getSubject();
     }
 
@@ -137,14 +137,14 @@ public abstract class ServerAccessToken extends AccessToken {
         return grantType;
     }
 
-    public String getAudience() {
-        return audience;
+    public List<String> getAudiences() {
+        return audiences;
     }
 
-    public void setAudience(String audience) {
-        this.audience = audience;
+    public void setAudiences(List<String> audiences) {
+        this.audiences = audiences;
     }
-
+    
     protected static ServerAccessToken validateTokenType(ServerAccessToken token, String expectedType) {
         if (!token.getTokenType().equals(expectedType)) {
             throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
index 4e3911f..1a172a9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.rs.security.oauth2.common;
 
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 // RFC 7622 Introspection Response
@@ -32,7 +33,7 @@ public class TokenIntrospection {
     private Long exp;
     private Long nbf;
     private String sub;
-    private String aud;
+    private List<String> aud;
     private String iss;
     private String jti;
     
@@ -100,10 +101,10 @@ public class TokenIntrospection {
     public void setSub(String sub) {
         this.sub = sub;
     }
-    public String getAud() {
+    public List<String> getAud() {
         return aud;
     }
-    public void setAud(String aud) {
+    public void setAud(List<String> aud) {
         this.aud = aud;
     }
     public String getIss() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
index c730c9c..0b1a267 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
@@ -68,7 +68,7 @@ public class AccessTokenIntrospectionClient implements AccessTokenValidator {
         atv.setClientId(response.getClientId());
         atv.setTokenIssuedAt(response.getIat());
         atv.setTokenLifetime(response.getExp() - response.getIat());
-        atv.setAudience(response.getAud());
+        atv.setAudiences(response.getAud());
         if (response.getScope() != null) {
             String[] scopes = response.getScope().split(" ");
             List<OAuthPermission> perms = new LinkedList<OAuthPermission>();

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
index 3963a1f..498dd02 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
@@ -38,6 +38,7 @@ import javax.ws.rs.ext.Provider;
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
 import org.apache.cxf.jaxrs.utils.ExceptionUtils;
 import org.apache.cxf.jaxrs.utils.FormUtils;
@@ -68,7 +69,9 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
     private static final Logger LOG = LogUtils.getL7dLogger(OAuthRequestFilter.class);
     
     private boolean useUserSubject;
-    private boolean audienceIsEndpointAddress;
+    private String audience;
+    private boolean completeAudienceMatch;
+    
     private boolean checkFormData;
     private List<String> requiredScopes = Collections.emptyList();
     private boolean allPermissionsMatch;
@@ -98,6 +101,10 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
         if (!accessTokenV.isInitialValidationSuccessful()) {
             throw ExceptionUtils.toNotAuthorizedException(null, null);
         }
+        // Check audiences
+        if (!validateAudiences(accessTokenV.getAudiences())) {
+            AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
+        }
         // Find the scopes which match the current request
         
         List<OAuthPermission> permissions = accessTokenV.getTokenScopes();
@@ -155,7 +162,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
         oauthContext.setClientId(accessTokenV.getClientId());
         oauthContext.setClientConfidential(accessTokenV.isClientConfidential());
         oauthContext.setTokenKey(accessTokenV.getTokenKey());
-        oauthContext.setTokenAudience(accessTokenV.getAudience());
+        oauthContext.setTokenAudiences(accessTokenV.getAudiences());
         oauthContext.setTokenRequestParts(authParts);
         m.setContent(OAuthContext.class, oauthContext);
     }
@@ -234,21 +241,24 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
         return MessageUtils.isTrue(m.get("local_preflight"));
     }
 
-    protected boolean validateAudience(String audience) {
-        if (audience == null) {
+    protected boolean validateAudiences(List<String> audiences) {
+        if (StringUtils.isEmpty(audiences) && audience == null) {
             return true;
         }
+        if (audience != null) {
+            return audiences.contains(audience);
+        } 
         
-        boolean isValid = super.validateAudience(audience);
-        if (isValid && audienceIsEndpointAddress) {
-            String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL);
-            isValid = requestPath.startsWith(audience);
+        boolean matched = false;
+        String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL);
+        for (String s : audiences) {
+            matched = completeAudienceMatch ? requestPath.equals(s) : requestPath.startsWith(s);
+            if (matched) {
+                break;
+            }
         }
-        return isValid;
-    }
-    
-    public void setAudienceIsEndpointAddress(boolean audienceIsEndpointAddress) {
-        this.audienceIsEndpointAddress = audienceIsEndpointAddress;
+        return matched;
+        
     }
     
     public void setCheckFormData(boolean checkFormData) {
@@ -299,5 +309,21 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
     public void setTokenSubjectAuthenticationMethod(AuthenticationMethod method) {
         this.am = method;
     }
+
+    public String getAudience() {
+        return audience;
+    }
+
+    public void setAudience(String audience) {
+        this.audience = audience;
+    }
+
+    public boolean isCompleteAudienceMatch() {
+        return completeAudienceMatch;
+    }
+
+    public void setCompleteAudienceMatch(boolean completeAudienceMatch) {
+        this.completeAudienceMatch = completeAudienceMatch;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
index c3c34af..fe57233 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
@@ -100,7 +100,7 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
         return doCreateAccessToken(client, 
                                    subject, 
                                    OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)), 
-                                   params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
+                                   getAudiences(client, params.getFirst(OAuthConstants.CLIENT_AUDIENCE)));
     }
     
     protected ServerAccessToken doCreateAccessToken(Client client,
@@ -113,10 +113,10 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
     protected ServerAccessToken doCreateAccessToken(Client client,
                                                     UserSubject subject,
                                                     List<String> requestedScopes,
-                                                    String audience) {
+                                                    List<String> audiences) {
         
         return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScopes, 
-                                   audience);
+                                   audiences);
     }
     
     protected ServerAccessToken doCreateAccessToken(Client client,
@@ -130,9 +130,9 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
                                                     UserSubject subject,
                                                     String requestedGrant,
                                                     List<String> requestedScopes,
-                                                    String audience) {
+                                                    List<String> audiences) {
         ServerAccessToken token = getPreAuthorizedToken(client, subject, requestedGrant,
-                                                        requestedScopes, audience);
+                                                        requestedScopes, audiences);
         if (token != null) {
             return token;
         }
@@ -143,9 +143,9 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
         reg.setGrantType(requestedGrant);
         reg.setSubject(subject);
         reg.setRequestedScope(requestedScopes);
-        List<String> approvedScopes = Collections.emptyList();
-        reg.setApprovedScope(approvedScopes);
-        reg.setAudience(audience);
+        List<String> scopes = Collections.emptyList();
+        reg.setApprovedScope(scopes);
+        reg.setAudiences(audiences);
         return dataProvider.createAccessToken(reg);
     }
     
@@ -153,12 +153,12 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
                                                       UserSubject subject,
                                                       String requestedGrant,
                                                       List<String> requestedScopes,
-                                                      String audience) {
+                                                      List<String> audiences) {
         if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes(), 
                                        partialMatchScopeValidation)) {
             throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));     
         }
-        if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) {
+        if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) {
             throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
         }
         
@@ -182,4 +182,18 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
     public boolean isCanSupportPublicClients() {
         return canSupportPublicClients;
     }
+    protected List<String> getAudiences(Client client, String clientAudience) {
+        if (client.getRegisteredAudiences().isEmpty() && clientAudience == null) {
+            return Collections.emptyList();
+        }
+        if (clientAudience != null) {
+            List<String> audiences = Collections.singletonList(clientAudience);
+            if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) {
+                throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+            }
+            return audiences;
+        } else {
+            return client.getRegisteredAudiences();
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index fb4bd5d..c9fe6d9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -81,16 +81,34 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
         if (!compareCodeVerifierWithChallenge(client, clientCodeVerifier, clientCodeChallenge)) {
             throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
         }
-        
-        return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier);
+        List<String> audiences = getAudiences(client, params, grant.getAudience());
+        return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier, audiences);
     }
     
+    protected List<String> getAudiences(Client client, MultivaluedMap<String, String> params, 
+                                        String grantAudience) {
+        String clientAudience = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
+        if (client.getRegisteredAudiences().isEmpty() && clientAudience == null && grantAudience == null) {
+            return Collections.emptyList();
+        }
+        // if the audience was approved at the grant creation time and the audience is also 
+        // sent to the token endpoint then both values must match
+        if (grantAudience != null && clientAudience != null && !grantAudience.equals(clientAudience)) {
+            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
+        }
+        return getAudiences(client, clientAudience == null ? grantAudience : clientAudience);
+    }
+
     private ServerAccessToken doCreateAccessToken(Client client,
                                                   ServerAuthorizationCodeGrant grant,
                                                   String requestedGrant,
-                                                  String codeVerifier) {
-        ServerAccessToken token = getPreAuthorizedToken(client, grant.getSubject(), requestedGrant,
-                                                        grant.getRequestedScopes(), grant.getAudience());
+                                                  String codeVerifier,
+                                                  List<String> audiences) {
+        ServerAccessToken token = getPreAuthorizedToken(client, 
+                                                        grant.getSubject(), 
+                                                        requestedGrant,
+                                                        grant.getRequestedScopes(), 
+                                                        getAudiences(client, grant.getAudience()));
         if (token != null) {
             return token;
         }
@@ -108,7 +126,7 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
             List<String> approvedScopes = Collections.emptyList();
             reg.setApprovedScope(approvedScopes);
         }
-        reg.setAudience(grant.getAudience());
+        reg.setAudiences(audiences);
         reg.setClientCodeVerifier(codeVerifier);
         return getDataProvider().createAccessToken(reg);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
index 5b8bca9..026a835 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
@@ -78,15 +78,6 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant {
      * Returns the number of seconds this grant can be valid after it was issued
      * @return the seconds this grant will be valid for
      */
-    @Deprecated
-    public long getLifetime() {
-        return expiresIn;
-    }
-    
-    /**
-     * Returns the number of seconds this grant can be valid after it was issued
-     * @return the seconds this grant will be valid for
-     */
     public long getExpiresIn() {
         return expiresIn;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 88c34ac..73ec127 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -62,7 +62,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
     
     protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration accessToken) {
         ServerAccessToken at = createNewAccessToken(accessToken.getClient());
-        at.setAudience(accessToken.getAudience());
+        at.setAudiences(accessToken.getAudiences());
         at.setGrantType(accessToken.getGrantType());
         List<String> theScopes = accessToken.getApprovedScope();
         List<OAuthPermission> thePermissions = 
@@ -206,7 +206,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
     }
     protected RefreshToken doCreateNewRefreshToken(ServerAccessToken at) {
         RefreshToken rt = new RefreshToken(at.getClient(), refreshTokenLifetime);
-        rt.setAudience(at.getAudience());
+        rt.setAudiences(at.getAudiences());
         rt.setGrantType(at.getGrantType());
         rt.setScopes(at.getScopes());
         rt.setSubject(at.getSubject());
@@ -224,7 +224,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
                                                      RefreshToken oldRefreshToken, 
                                                      List<String> restrictedScopes) {
         ServerAccessToken at = createNewAccessToken(client);
-        at.setAudience(oldRefreshToken.getAudience());
+        at.setAudiences(oldRefreshToken.getAudiences());
         at.setGrantType(oldRefreshToken.getGrantType());
         at.setSubject(oldRefreshToken.getSubject());
         if (restrictedScopes.isEmpty()) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
index fb02230..d2a6766 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
@@ -26,6 +26,8 @@ import java.lang.reflect.Type;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
 import java.util.LinkedHashMap;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Map;
 
 import javax.ws.rs.Consumes;
@@ -37,6 +39,7 @@ import javax.ws.rs.ext.MessageBodyReader;
 import javax.ws.rs.ext.MessageBodyWriter;
 import javax.ws.rs.ext.Provider;
 
+import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
@@ -91,9 +94,24 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
                 sb.append(",");
                 appendJsonPair(sb, OAuthConstants.SCOPE, obj.getScope());
             }
-            if (obj.getAud() != null) {
+            if (StringUtils.isEmpty(obj.getAud())) {
                 sb.append(",");
-                appendJsonPair(sb, "aud", obj.getAud());
+                if (obj.getAud().size() == 1) {
+                    appendJsonPair(sb, "aud", obj.getAud());
+                } else {
+                    sb.append("[");
+                    StringBuilder arr = new StringBuilder();
+                    List<String> auds = obj.getAud();
+                    for (int i = 0; i < auds.size(); i++) {
+                        if (i > 0) {
+                            arr.append(",");
+                        }
+                        arr.append("\"").append(auds.get(i)).append("\"");
+                    }
+                    sb.append("]");
+                    appendJsonPair(sb, "aud", arr.toString(), false);
+                    
+                }
             }
             sb.append(",");
             appendJsonPair(sb, "iat", obj.getIat(), false);
@@ -219,7 +237,18 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
             }
             String aud = params.get("aud");
             if (aud != null) {
-                resp.setAud(aud);
+                if (aud.startsWith("[") && aud.endsWith("]")) {
+                    String[] auds = aud.substring(1, aud.length() - 1).split(",");
+                    List<String> list = new LinkedList<String>();
+                    for (String s : auds) {
+                        if (!s.trim().isEmpty()) {
+                            list.add(s.trim());
+                        }
+                    }
+                    resp.setAud(list);
+                } else {
+                    resp.setAud(Collections.singletonList(aud));
+                }
             }
             String iat = params.get("iat");
             if (iat != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
index 666e7e4..bfe459e 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
@@ -20,7 +20,6 @@ package org.apache.cxf.rs.security.oauth2.services;
 
 import java.util.Collections;
 import java.util.HashSet;
-import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
 
@@ -50,7 +49,6 @@ public abstract class AbstractAccessTokenValidator {
     
     private MessageContext mc;
     private List<AccessTokenValidator> tokenHandlers = Collections.emptyList();
-    private List<String> audiences = new LinkedList<String>();
     private OAuthDataProvider dataProvider;
     
     public void setTokenValidator(AccessTokenValidator validator) {
@@ -136,11 +134,6 @@ public abstract class AbstractAccessTokenValidator {
             AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
         }
         
-        // Check audiences
-        if (!validateAudience(accessTokenV.getAudience())) {
-            AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
-        }
-        
         return accessTokenV;
     }
 
@@ -149,19 +142,9 @@ public abstract class AbstractAccessTokenValidator {
         dataProvider.removeAccessToken(localAccessToken);
     }
 
-    protected boolean validateAudience(String audience) {
-        return OAuthUtils.validateAudience(audience, audiences);
-    }
-    
     public void setRealm(String realm) {
         this.realm = realm;
     }
 
-    public List<String> getAudiences() {
-        return audiences;
-    }
-
-    public void setAudiences(List<String> audiences) {
-        this.audiences = audiences;
-    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
index 5ee52cc..6f8a01f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
@@ -20,6 +20,7 @@
 package org.apache.cxf.rs.security.oauth2.services;
 
 import java.net.URI;
+import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
@@ -77,7 +78,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
                 } else {
                     reg.setApprovedScope(approvedScope);
                 }
-                reg.setAudience(state.getAudience());
+                reg.setAudiences(Collections.singletonList(state.getAudience()));
                 reg.setNonce(state.getNonce());
                 token = getDataProvider().createAccessToken(reg);
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
index 8af601a..61bac1c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
@@ -19,8 +19,6 @@
 
 package org.apache.cxf.rs.security.oauth2.services;
 
-import java.net.MalformedURLException;
-import java.net.URL;
 import java.util.LinkedList;
 import java.util.List;
 
@@ -52,7 +50,6 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 public class AccessTokenService extends AbstractTokenService {
     private List<AccessTokenGrantHandler> grantHandlers = new LinkedList<AccessTokenGrantHandler>();
     private List<AccessTokenResponseFilter> responseHandlers = new LinkedList<AccessTokenResponseFilter>();
-    private List<String> audiences = new LinkedList<String>();
     
     /**
      * Sets the list of optional grant handlers
@@ -97,7 +94,7 @@ public class AccessTokenService extends AbstractTokenService {
         }
         
         try {
-            checkAudience(params);
+            checkAudience(client, params);
         } catch (OAuthServiceException ex) {
             return super.createErrorResponseFromBean(ex.getError());
         } 
@@ -139,23 +136,9 @@ public class AccessTokenService extends AbstractTokenService {
             filter.process(clientToken, serverToken); 
         }
     }
-    protected void checkAudience(MultivaluedMap<String, String> params) { 
-        if (audiences.isEmpty()) {
-            return;
-        }
-        
+    protected void checkAudience(Client c, MultivaluedMap<String, String> params) { 
         String audienceParam = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
-        if (audienceParam == null) {
-            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
-        }
-        // must be URL
-        try {
-            new URL(audienceParam);
-        } catch (MalformedURLException ex) {
-            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
-        }
-        
-        if (!audiences.contains(audienceParam)) {
+        if (!OAuthUtils.validateAudience(audienceParam, c.getRegisteredAudiences())) {
             throw new OAuthServiceException(new OAuthError(OAuthConstants.ACCESS_DENIED));
         }
         
@@ -185,12 +168,4 @@ public class AccessTokenService extends AbstractTokenService {
         
         return null;
     }
-
-    public List<String> getAudiences() {
-        return audiences;
-    }
-
-    public void setAudiences(List<String> audiences) {
-        this.audiences = audiences;
-    }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 4d24346..5b050df 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -160,8 +160,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
             return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
         }
         // Validate the audience
-        if (!OAuthUtils.validateAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE), 
-                                         client.getRegisteredAudiences())) {
+        String clientAudience = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
+        // Right now if the audience parameter is set it is expected to be contained
+        // in the list of Client audiences set at the Client registration time.
+        if (!OAuthUtils.validateAudience(clientAudience, client.getRegisteredAudiences())) {
             throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
         }
     
@@ -256,6 +258,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
             state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID));
             state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI));
             state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
+            // or if no audience parameter is available, set the list of client
+            // audiences for the users to see ?
             state.setProposedScope(params.getFirst(OAuthConstants.SCOPE));
             state.setState(params.getFirst(OAuthConstants.STATE));
             state.setNonce(params.getFirst(OAuthConstants.NONCE));

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
index 11485fe..645e3a4 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
@@ -31,6 +31,7 @@ import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.SecurityContext;
 
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.jaxrs.utils.ExceptionUtils;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
@@ -64,8 +65,8 @@ public class TokenIntrospectionService {
         if (at.getSubject() != null) {
             response.setUsername(at.getSubject().getLogin());
         }
-        if (at.getAudience() != null) {
-            response.setAud(at.getAudience());
+        if (!StringUtils.isEmpty(at.getAudiences())) {
+            response.setAud(at.getAudiences());
         }
         response.setIat(at.getIssuedAt());
         response.setExp(at.getIssuedAt() + at.getExpiresIn());

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index 066cec0..1857bf3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -191,8 +191,16 @@ public final class OAuthUtils {
             && issuedAt + lifetime < System.currentTimeMillis() / 1000L;
     }
     
-    public static boolean validateAudience(String audience, List<String> audiences) {
-        return audience == null || !audiences.isEmpty() && audiences.contains(audience);
+    public static boolean validateAudience(String providedAudience, 
+                                           List<String> allowedAudiences) {
+        return providedAudience == null 
+            || validateAudiences(Collections.singletonList(providedAudience), allowedAudiences);
+    }
+    public static boolean validateAudiences(List<String> providedAudiences, 
+                                            List<String> allowedAudiences) {
+        return StringUtils.isEmpty(providedAudiences) 
+               && StringUtils.isEmpty(allowedAudiences)
+               || allowedAudiences.contains(providedAudiences);
     }
     
     public static boolean checkRequestURI(String servletPath, String uri) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
index 2b3a798..c23f421 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
@@ -236,7 +236,7 @@ public final class ModelEncryptionSupport {
         
         newToken.setRefreshToken(getStringPart(parts[5]));
         newToken.setGrantType(getStringPart(parts[6]));
-        newToken.setAudience(getStringPart(parts[7]));
+        newToken.setAudiences(parseSimpleList(parts[7]));
         newToken.setParameters(parseSimpleMap(parts[8]));
         
         // Permissions
@@ -289,7 +289,7 @@ public final class ModelEncryptionSupport {
         state.append(tokenizeString(token.getGrantType()));
         // 7: audience
         state.append(SEP);
-        state.append(tokenizeString(token.getAudience()));
+        state.append(token.getAudiences().toString());
         // 8: other parameters
         state.append(SEP);
         // {key=value, key=value}

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java
index fd00e06..9df30fa 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java
@@ -228,7 +228,7 @@ public class CryptoUtilsTest extends Assert {
         assertEquals(endUser1.getRoles(), endUser2.getRoles());
         
         assertEquals(token.getRefreshToken(), token2.getRefreshToken());
-        assertEquals(token.getAudience(), token2.getAudience());
+        assertEquals(token.getAudiences(), token2.getAudiences());
         assertEquals(token.getGrantType(), token2.getGrantType());
         assertEquals(token.getParameters(), token2.getParameters());
         
@@ -251,7 +251,7 @@ public class CryptoUtilsTest extends Assert {
         Client regClient = p.getClient("1");
         atr.setClient(regClient);
         atr.setGrantType("code");
-        atr.setAudience("http://localhost");
+        atr.setAudiences(Collections.singletonList("http://localhost"));
         UserSubject endUser = new UserSubject("Barry", "BarryId");
         atr.setSubject(endUser);
         endUser.setRoles(Collections.singletonList("role1"));

http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java
index e2e7b3e..4363325 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java
@@ -124,7 +124,7 @@ public class EncryptingDataProvider implements OAuthDataProvider {
         createRefreshToken(token);
         
         token.setGrantType(accessTokenReg.getGrantType());
-        token.setAudience(accessTokenReg.getAudience());
+        token.setAudiences(accessTokenReg.getAudiences());
         token.setParameters(Collections.singletonMap("param", "value"));
         token.setScopes(Collections.singletonList(
             new OAuthPermission("read", "read permission")));


Mime
View raw message