cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r989194 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html docs/jax-rs-oidc.html docs/jaxrs-oauth2-assertions.html
Date Thu, 26 May 2016 15:47:38 GMT
Author: buildbot
Date: Thu May 26 15:47:38 2016
New Revision: 989194

Log:
Production update by buildbot for cxf

Added:
    websites/production/cxf/content/docs/jax-rs-oidc.html
Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html
    websites/production/cxf/content/docs/jaxrs-oauth2-assertions.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu May 26 15:47:38 2016
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1464270417246 {padding: 0px;}
-div.rbtoc1464270417246 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1464270417246 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464277618197 {padding: 0px;}
+div.rbtoc1464277618197 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464277618197 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1464270417246">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464277618197">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization View</a></li><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
@@ -362,7 +362,7 @@ return token;
 // decrypt a token given a token key
 
 ModelEncryptionSupport.decryptAccessToken(this, encryptedToken, key);</pre>
-</div></div><pre>&#160;</pre><h4 id="JAX-RSOAuth2-JWTTokens">JWT Tokens</h4><p>JWT Token can be JWE-encrypted and the encrypted string passed to ServerAccessToken as access token id parameter.</p><p>See <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">JAX-RS JOSE</a> wiki page for more information on how to sign and encrypt JSON Web Tokens.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java" rel="nofollow">JwtAccessTokenUtils </a>provides utility method for encrypting and decrypting an access token represented as JWT.</p><p>Note more support for JWT access tokens is on the way.</p><h4 id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.co
 mmon.ServerAccessToken.</p><h4 id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00" rel="nofollow">audience</a> parameter is supported during the client token requests.</p><h3 id="JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</h3><p>org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider is a JAX-RS MessageBodyWriter which supports returning ClientAccessToken and OAuthError representations to the client in a JSON format required by OAuth2 spec. It is also a JAX-RS MessageBodyReader that is used by client OAuthClientUtils (see below) to read the responses from AccessTokenService.</p><p>Register it as a provider with a JAXRS AccessTokenService endpoint.</p><p>Alternatively, if you prefer, a custom MessageBodyWriter implementation can be registered instead.</p><h2 id="JAX-RSOAuth2-AccessTokenValidationService">Access Token
  Validation Service</h2><h3 id="JAX-RSOAuth2-AccessTokenValidatorService">AccessTokenValidatorService</h3><p>The <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java" rel="nofollow">AccessTokenValidatorService</a> is a CXF specific OAuth2 service for accepting the remote access token validation requests. OAuthRequestFilter needs to be injected with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java" rel="nofollow">AccessTokenValidatorClient</a> which will ask AccessTokenValidatorService to return the information relevant to the current access token, before setting up a security context.</p><h3 id="JAX-RSOAuth2-TokenIntrospectionService">TokenIntrospectionService</h3><p>The
  <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java" rel="nofollow">TokenIntrospectionService</a> is a standard OAuth2 service for accepting the remote access token introspection requests. See <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7662" rel="nofollow">RFC 7662</a>. OAuthRequestFilter needs to be injected with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java" rel="nofollow">AccessTokenIntrospectionClient.</a></p><h2 id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cx
 f/rs/security/oauth2/services/TokenRevocationService.java" rel="nofollow">TokenRevocationService</a> is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh tokens they own themselves, please see <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09" rel="nofollow">OAuth2 Token Revocation Draft</a> for more information.</p><p>TokenRevocationService and AccessTokenService share the same code which enforces that the clients have been correctly authenticated.</p><p>Note, OAuthDataProvider implementations processing a revocation request should simply ignore the invalid tokens as recommended by the specification which will let TokenRevocationService return HTTP 200 which is done to minimize a possible attack surface (specifically for bad clients not to see if their requests failed or succeeded) and throw the exceptions only if the token revocation feature is not currently supported.</p><h2 id="JAX-RSOAuth2-
 SupportedGrants">Supported Grants</h2><p>The following subsections briefly describe how the well-known grant types can be supported on the server side. Please also check the "Client Side Support" section on how to use the related <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java" rel="nofollow">AccessTokenGrant</a> implementations to request the access tokens.</p><h3 id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As described above, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java" rel="nofollow">AuthorizationCodeGrantService</a> service and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/s
 rc/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java" rel="nofollow">AuthorizationCodeDataProvider</a> data provider can support a redirection-based Authorization Code flow.</p><p>The code that the client receives in the end of the redirection process will need to be exchanged for a new access token with AccessTokenService. CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same way Authorization Code grant is except that no code is created, a token is issued immediately and returned to the client running within a web browser.</p><p><a shape="rect" class="external-link" href="https://gith
 ub.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java" rel="nofollow">ImplicitGrantService</a> service asks <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> data provider to issue a new token after a user has approved it.</p><p>Note the only difference is the use of ImplicitGrantService instead of AuthorizationCodeGrantService.</p><p>Also note that when an Implicit grant client (running within a browser) replaces the code grant for a new access token and tries to access the end user's resource, Cross Origin Resource Sharing (CORS) support will most likely need to be enabled on the end user's resource server.<br clear="none"> The simplest approach is to register a CXF <a shape="rect" href="http://cxf.apac
 he.org/docs/jax-rs-cors.html">CORS filter</a>, right before OAuth2 filter (see on it below).</p><p>Starting from CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered Client id to the browser-hosted client. This is recommended so that the client can verify that the token is meant to be delivered to this client.</p><h3 id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3><p>Register <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java" rel="nofollow">ClientCredentialsGrantHandler</a> handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.jav
 a" rel="nofollow">ClientCredentialsGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</h3><p>Register <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java" rel="nofollow">ResourceOwnerGrantHandler</a> handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java">ResourceOwnerGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The client can issue a refresh token grant if the current access token it ow
 ns has expired or been revoked and the refresh token was issued alongside with the access token which is now invalid and get the new, 'refreshed' access token. This can allow the client to avoid seeking a new authorization approval from the end user.</p><p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java">RefreshTokenGrantHandler</a> handler with AccessTokenService for this grant be supported. Note this grant handler is only useful for refreshing the existing access token, so one or more of the other grant handlers (Authorization Code, Implicit, etc) will also have to be registered with AccessTokenService.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2
 /grants/owner/ResourceOwnerGrant.java" rel="nofollow">RefreshTokenGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-SAMLandJWTAssertions">SAML and JWT Assertions</h3><p>SAML2 Bearer and JWT assertions can be used as token grants.</p><p>Please see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for more information.</p><p>&#160;</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If you need to customize the way the well-known grant requests are handled then consider extending one of the grant handlers listed in the previous sub-sections.</p><p>Alternatively create a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java" rel="nofollow">AccessTokenGrantHandler</a> and register it with AccessTokenService. Additionally, consider providing a r
 elated&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java" rel="nofollow">AccessTokenGrant</a> implementation for making it easy for the client code to request a new access token with this custom grant.</p><h2 id="JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationRequestFilter.java" rel="nofollow">AuthorizationRequestFilter</a> implementations can be registered with AuthorizationCodeGrantService or ImplicitGrantService in order to pre-process code requests. For example, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/securit
 y/oauth2/grants/code/JwtRequestCodeFilter.java" rel="nofollow">JwtRequestCodeFilter</a> can be used to process JWS-signed or JWE-encrypted code requests.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java" rel="nofollow">AuthorizationCodeResponseFilter</a> implementations can be registered with AuthorizationCodeService in order to post-process code responses.</p><h2 id="JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse Filters</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java" rel="nofollow">AccessTokenResponseFilter</a> implementations can be registered with AccessTokenService in order to post-process access token responses. For example,&#16
 0; OIDC IdToken can be added to a response with a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a>.</p><h2 id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</h2><p>When working with the flows which require the end users/resource owners explicitly authorizing clients (for example, as in the case of redirection-based flows), using pre-authorized access tokens is one option to minimize the need for the end-user intervention. <br clear="none"> OAuthDataProvider is always checked first if the pre-authorized access token for a given Client exists and if yes then it will be returned immediately, without starting the authorization process involving the end user (as required by some flows).</p><p>Consider providing a user interface which will let the end users/resource owners to pre-authorize 
 specific clients early. Note, a CXF service for supporting the users pre-authorizing the clients or revoking the tokens for some of the clients may be introduced in the future.</p><p>Also note that using a refresh token grant may further help with minimizing the end user involvement, in cases when the current access token has expired.</p><h2 id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can register custom scopes they will be expected to use and then avoid specifying the scopes when requesting the code grants or access tokens.<br clear="none"> Alternatively it makes it easier to support so called wild-card scopes. For example, a client pre-registers a scope "update" and actually uses an "update-7" scope: Redirection-based services and access token grants can be configured to do a partial scope match, in this case, validate that "update-7" starts from "update"</p><h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</h2><p>Using CXF OA
 uth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom OAuthDataProvider implementation.</p><p>The main task of OAuthDataProvider is to persist and generate access tokens. Additionally, as noted above, AuthorizationCodeDataProvider needs to persist and remove the code grant registrations. The way it's done is really application-specific. Consider starting with a basic memory based implementation and then move on to keeping the data in some DB.</p><p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java" rel="nofollow">OAuthPermission</a>s. AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes are used in the f
 irst place).&#160;</p><h3 id="JAX-RSOAuth2-DefaultProviders">Default Providers</h3><p>CXF 3.1.7 ships JPA2 (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java" rel="nofollow">JPAOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java" rel="nofollow">JPACodeDataProvider</a>), Ehcache (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java" rel="nofollow">DefaultEHCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-paren
 t/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java" rel="nofollow">DefaultEHCacheCodeDataProvider</a>) and JCache (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java" rel="nofollow">JCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java" rel="nofollow">JCacheCodeDataProvider</a>) provider implementations which take care of all the persistence tasks: saving or removing registered clients, tokens and code grants. These providers can be easily customized.</p><p>Custom implementations can also extend&#160; <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/s
 ecurity/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java" rel="nofollow">AbstractOAuthDataProvider</a> or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java" rel="nofollow">AbstractCodeDataProvider</a>&#160; and only implement their abstract persistence related methods or further customize some of their code.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS endpoints</h2><p>With CXF offering OAuth service implementations and a custom OAuthDataProvider provider in place, it is time to deploy the OAuth2 server. <br clear="none"> Most likely, you'd want to deploy AccessTokenService as an independent JAX-RS endpoint, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><pre>&#160;</pre><h4 id="JAX-RSOAuth2-JWTTokens">JWT Tokens</h4><p>JWT Token can be JWE-encrypted and the encrypted string passed to ServerAccessToken as access token id parameter.</p><p>See <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">JAX-RS JOSE</a> wiki page for more information on how to sign and encrypt JSON Web Tokens.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java" rel="nofollow">JwtAccessTokenUtils </a>provides utility method for encrypting and decrypting an access token represented as JWT.</p><p>Note more support for JWT access tokens is on the way.</p><h4 id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.co
 mmon.ServerAccessToken.</p><h4 id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00" rel="nofollow">audience</a> parameter is supported during the client token requests.</p><h3 id="JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</h3><p>org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider is a JAX-RS MessageBodyWriter which supports returning ClientAccessToken and OAuthError representations to the client in a JSON format required by OAuth2 spec. It is also a JAX-RS MessageBodyReader that is used by client OAuthClientUtils (see below) to read the responses from AccessTokenService.</p><p>Register it as a provider with a JAXRS AccessTokenService endpoint.</p><p>Alternatively, if you prefer, a custom MessageBodyWriter implementation can be registered instead.</p><h2 id="JAX-RSOAuth2-AccessTokenValidationService">Access Token
  Validation Service</h2><h3 id="JAX-RSOAuth2-AccessTokenValidatorService">AccessTokenValidatorService</h3><p>The <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java" rel="nofollow">AccessTokenValidatorService</a> is a CXF specific OAuth2 service for accepting the remote access token validation requests. OAuthRequestFilter needs to be injected with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java" rel="nofollow">AccessTokenValidatorClient</a> which will ask AccessTokenValidatorService to return the information relevant to the current access token, before setting up a security context.</p><h3 id="JAX-RSOAuth2-TokenIntrospectionService">TokenIntrospectionService</h3><p>The
  <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java" rel="nofollow">TokenIntrospectionService</a> is a standard OAuth2 service for accepting the remote access token introspection requests. See <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7662" rel="nofollow">RFC 7662</a>. OAuthRequestFilter needs to be injected with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java" rel="nofollow">AccessTokenIntrospectionClient.</a></p><h2 id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cx
 f/rs/security/oauth2/services/TokenRevocationService.java" rel="nofollow">TokenRevocationService</a> is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh tokens they own themselves, please see <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09" rel="nofollow">OAuth2 Token Revocation Draft</a> for more information.</p><p>TokenRevocationService and AccessTokenService share the same code which enforces that the clients have been correctly authenticated.</p><p>Note, OAuthDataProvider implementations processing a revocation request should simply ignore the invalid tokens as recommended by the specification which will let TokenRevocationService return HTTP 200 which is done to minimize a possible attack surface (specifically for bad clients not to see if their requests failed or succeeded) and throw the exceptions only if the token revocation feature is not currently supported.</p><h2 id="JAX-RSOAuth2-
 SupportedGrants">Supported Grants</h2><p>The following subsections briefly describe how the well-known grant types can be supported on the server side. Please also check the "Client Side Support" section on how to use the related <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java" rel="nofollow">AccessTokenGrant</a> implementations to request the access tokens.</p><h3 id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As described above, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java" rel="nofollow">AuthorizationCodeGrantService</a> service and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/s
 rc/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java" rel="nofollow">AuthorizationCodeDataProvider</a> data provider can support a redirection-based Authorization Code flow.</p><p>The code that the client receives in the end of the redirection process will need to be exchanged for a new access token with AccessTokenService. CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same way Authorization Code grant is except that no code is created, a token is issued immediately and returned to the client running within a web browser.</p><p><a shape="rect" class="external-link" href="https://gith
 ub.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java" rel="nofollow">ImplicitGrantService</a> service asks <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> data provider to issue a new token after a user has approved it.</p><p>Note the only difference is the use of ImplicitGrantService instead of AuthorizationCodeGrantService.</p><p>Also note that when an Implicit grant client (running within a browser) replaces the code grant for a new access token and tries to access the end user's resource, Cross Origin Resource Sharing (CORS) support will most likely need to be enabled on the end user's resource server.<br clear="none"> The simplest approach is to register a CXF <a shape="rect" href="http://cxf.apac
 he.org/docs/jax-rs-cors.html">CORS filter</a>, right before OAuth2 filter (see on it below).</p><p>Starting from CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered Client id to the browser-hosted client. This is recommended so that the client can verify that the token is meant to be delivered to this client.</p><h3 id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3><p>Register <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java" rel="nofollow">ClientCredentialsGrantHandler</a> handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.jav
 a" rel="nofollow">ClientCredentialsGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</h3><p>Register <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java" rel="nofollow">ResourceOwnerGrantHandler</a> handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java">ResourceOwnerGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The client can issue a refresh token grant if the current access token it ow
 ns has expired or been revoked and the refresh token was issued alongside with the access token which is now invalid and get the new, 'refreshed' access token. This can allow the client to avoid seeking a new authorization approval from the end user.</p><p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java">RefreshTokenGrantHandler</a> handler with AccessTokenService for this grant be supported. Note this grant handler is only useful for refreshing the existing access token, so one or more of the other grant handlers (Authorization Code, Implicit, etc) will also have to be registered with AccessTokenService.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2
 /grants/owner/ResourceOwnerGrant.java" rel="nofollow">RefreshTokenGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-SAMLandJWTAssertions">SAML and JWT Assertions</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7522" rel="nofollow">SAML2 assertions</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7523" rel="nofollow">JWT assertions</a> can be used as token grants.</p><p>JWT assertion grants are supported in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt" rel="nofollow">this package</a>. <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerClientCredentialsGrant.java" rel="nofollow">JwtBearerClientCredentialsGran
 t</a> is AccessTokenGrantHandler one can register with AccessTokenService. <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java" rel="nofollow">JwtBearerGrantHandler</a> is a client side helper once can use with OAuthClientUtils. <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java" rel="nofollow">JwtBearerAuthHandler</a> can be used as a generic client authentication filter (where the client authenticated with JWT token as opposed to with a username:password pair, etc).</p><p>Please also see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for more information.</p><p>&#160;</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If you nee
 d to customize the way the well-known grant requests are handled then consider extending one of the grant handlers listed in the previous sub-sections.</p><p>Alternatively create a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java" rel="nofollow">AccessTokenGrantHandler</a> and register it with AccessTokenService. Additionally, consider providing a related&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java" rel="nofollow">AccessTokenGrant</a> implementation for making it easy for the client code to request a new access token with this custom grant.</p><h2 id="JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</h2><p><a shape="rect" class="external-link" href="ht
 tps://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationRequestFilter.java" rel="nofollow">AuthorizationRequestFilter</a> implementations can be registered with AuthorizationCodeGrantService or ImplicitGrantService in order to pre-process code requests. For example, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java" rel="nofollow">JwtRequestCodeFilter</a> can be used to process JWS-signed or JWE-encrypted code requests.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java" rel="nofollow">AuthorizationCodeResponseFilter</a> implementations can be registered with AuthorizationCo
 deService in order to post-process code responses.</p><h2 id="JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse Filters</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java" rel="nofollow">AccessTokenResponseFilter</a> implementations can be registered with AccessTokenService in order to post-process access token responses. For example,&#160; OIDC IdToken can be added to a response with a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a>.</p><h2 id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</h2><p>When working with the flows which require the end users/resource owners explicitly authorizing clients (for example
 , as in the case of redirection-based flows), using pre-authorized access tokens is one option to minimize the need for the end-user intervention. <br clear="none"> OAuthDataProvider is always checked first if the pre-authorized access token for a given Client exists and if yes then it will be returned immediately, without starting the authorization process involving the end user (as required by some flows).</p><p>Consider providing a user interface which will let the end users/resource owners to pre-authorize specific clients early. Note, a CXF service for supporting the users pre-authorizing the clients or revoking the tokens for some of the clients may be introduced in the future.</p><p>Also note that using a refresh token grant may further help with minimizing the end user involvement, in cases when the current access token has expired.</p><h2 id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can register custom scopes they will be expected to use and t
 hen avoid specifying the scopes when requesting the code grants or access tokens.<br clear="none"> Alternatively it makes it easier to support so called wild-card scopes. For example, a client pre-registers a scope "update" and actually uses an "update-7" scope: Redirection-based services and access token grants can be configured to do a partial scope match, in this case, validate that "update-7" starts from "update"</p><h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom OAuthDataProvider implementation.</p><p>The main task of OAuthDataProvider is to persist and generate access tokens. Additionally, as noted above, AuthorizationCodeDataProvider needs to persist and remove the code grant registrations. The way it's done is really application-specific. Consider starting with a basic memory based imp
 lementation and then move on to keeping the data in some DB.</p><p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java" rel="nofollow">OAuthPermission</a>s. AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes are used in the first place).&#160;</p><h3 id="JAX-RSOAuth2-DefaultProviders">Default Providers</h3><p>CXF 3.1.7 ships JPA2 (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java" rel="nofollow">JPAOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src
 /main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java" rel="nofollow">JPACodeDataProvider</a>), Ehcache (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java" rel="nofollow">DefaultEHCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java" rel="nofollow">DefaultEHCacheCodeDataProvider</a>) and JCache (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java" rel="nofollow">JCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://githu
 b.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java" rel="nofollow">JCacheCodeDataProvider</a>) provider implementations which take care of all the persistence tasks: saving or removing registered clients, tokens and code grants. These providers can be easily customized.</p><p>Custom implementations can also extend&#160; <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java" rel="nofollow">AbstractOAuthDataProvider</a> or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java" rel="nofollow">AbstractCodeDataProvider</a>&#160; and only implement their abstract persistence related 
 methods or further customize some of their code.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS endpoints</h2><p>With CXF offering OAuth service implementations and a custom OAuthDataProvider provider in place, it is time to deploy the OAuth2 server. <br clear="none"> Most likely, you'd want to deploy AccessTokenService as an independent JAX-RS endpoint, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;!-- implements OAuthDataProvider --&gt;
 &lt;bean id="oauthProvider" class="oauth.manager.OAuthManager"/&gt;
      
@@ -782,7 +782,7 @@ public class CustomClientTokenContextPro
     &lt;property name="writeCustomErrors" value="true"/&gt;
 &lt;/bean&gt;
 </pre>
-</div></div><h1 id="JAX-RSOAuth2-OAuth2andJOSE">OAuth2 and JOSE</h1><p>See <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">JAX-RS JOSE</a> wiki page for the information about JOSE and how it is supported in CXF.</p><p>CXF OAuth2 depends on its JOSE implementation which is referred to the sections above. Particularly:</p><ul style="list-style-type: square;"><li><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java" rel="nofollow">JoseSessionTokenProvider</a> can be used as a custom SessionAuthenticityTokenProvider with AuthorizationCodeGrantService or ImplicitService</li><li><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java" rel="nofollow">JoseClientCodeState
 Manager</a> can be used with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java" rel="nofollow">ClientCodeRequestFilter</a> in confidential client web applications.</li><li>JWT assertion client and server grant handlers are shipped in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt" rel="nofollow">this package</a>.</li><li><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java" rel="nofollow">JwtRequestCodeFilter</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java
 /org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeGrant.java" rel="nofollow">JwetRequestCodeGrant </a>are provided to support securing authorization code and implicit flow request properties.</li><li><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt" rel="nofollow">Initial utility code</a> for representing JWT as access tokens is provided and to be extended further.</li><li>A number of utiliy classes for working with JWT are available: <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJoseJwtConsumer.java" rel="nofollow">OAuthJoseJwtConsumer</a>,&#160; <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oa
 uth2/provider/OAuthJoseJwtProducer.java" rel="nofollow">OAuthJoseJwtProducer</a> and&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java" rel="nofollow">OAuthServerJoseJwtProducer</a>. &#160; &#160;</li></ul><h1 id="JAX-RSOAuth2-OAuth2andOIDC">OAuth2 and OIDC</h1><p>&#160;</p><p>CXF shipis OIDC RP and IDP service code which depends on its OAuth2 and JOSE implementations. See this page for more information.</p><h1 id="JAX-RSOAuth2-Designconsiderations">Design considerations</h1><p>This section will talk about various design considerations one need to take into account when deploying OAuth-based solutions.</p><h2 id="JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access to Resource Server</h2><p>One of the most important issues one need to resolve is how to partition a URI space of the resource server app
 lication.</p><p>We have two different parties trying to access it, the end users which access the resource server to get to the resources which they own and 3rd party clients which have been authorized by the end users to access some of their resources.</p><p>In the former case the way the authentication is managed is completely up to the resource server application: basic authentication, two-way TLS, OpenId (more on it below), you name it.</p><p>In the latter case an OAuth filter must enforce that the 3rd party client has been registered using the provided client key and that it has a valid access token which represents the end user's approval.</p><p>Letting both parties access the resource server via the same URI(s) complicates the life for the security filters but all the parties are only aware of the single resource server URI which all of them will use.</p><p>Providing different access points to end users and clients may significantly simplify the authentication process - the p
 ossible downside is that multiple access points need to be maintained by the resource server.</p><p>Both options are discussed next.</p><h3 id="JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</h3><p>The first problem which needs to be addressed is how to distinguish end users from third-party clients and get both parties authenticated as required.<br clear="none"> Perhaps the simplest option is to extend a CXF OAuth2 filter (JAX-RS or servlet one), check Authorization header, if it is OAuth2 then delegate to the superclass, alternatively - proceed with authenticating the end users:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><h1 id="JAX-RSOAuth2-OAuth2andJOSE">OAuth2 and JOSE</h1><p>See <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">JAX-RS JOSE</a> wiki page for the information about JOSE and how it is supported in CXF.</p><p>CXF OAuth2 depends on its JOSE implementation which is referred to the sections above. Particularly:</p><ul style="list-style-type: square;"><li><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java" rel="nofollow">JoseSessionTokenProvider</a> can be used as a custom SessionAuthenticityTokenProvider with AuthorizationCodeGrantService or ImplicitService</li><li><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java" rel="nofollow">JoseClientCodeState
 Manager</a> can be used with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java" rel="nofollow">ClientCodeRequestFilter</a> in confidential client web applications.</li><li>JWT assertion client and server grant handlers are shipped in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt" rel="nofollow">this package</a>.</li><li><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java" rel="nofollow">JwtRequestCodeFilter</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java
 /org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeGrant.java" rel="nofollow">JwetRequestCodeGrant </a>are provided to support securing authorization code and implicit flow request properties.</li><li><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt" rel="nofollow">Initial utility code</a> for representing JWT as access tokens is provided and to be extended further.</li><li>A number of utiliy classes for working with JWT are available: <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJoseJwtConsumer.java" rel="nofollow">OAuthJoseJwtConsumer</a>,&#160; <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oa
 uth2/provider/OAuthJoseJwtProducer.java" rel="nofollow">OAuthJoseJwtProducer</a> and&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java" rel="nofollow">OAuthServerJoseJwtProducer</a>.&#160; These classes extend JOSE producer and consumer helpers and support the use of OAuth2 Client secrets and public certificates in JWS or JWE operations.&#160;</li></ul><h1 id="JAX-RSOAuth2-OAuth2andOIDC">OAuth2 and OIDC</h1><p>CXF shipis OIDC RP and IDP service code which depends on its OAuth2 and JOSE implementations. See <a shape="rect" href="jax-rs-oidc.html">this page</a> for more information.</p><h1 id="JAX-RSOAuth2-Designconsiderations">Design considerations</h1><p>This section will talk about various design considerations one need to take into account when deploying OAuth-based solutions.</p><h2 id="JAX-RSOAuth2-ControllingtheAcce
 sstoResourceServer">Controlling the Access to Resource Server</h2><p>One of the most important issues one need to resolve is how to partition a URI space of the resource server application.</p><p>We have two different parties trying to access it, the end users which access the resource server to get to the resources which they own and 3rd party clients which have been authorized by the end users to access some of their resources.</p><p>In the former case the way the authentication is managed is completely up to the resource server application: basic authentication, two-way TLS, OpenId (more on it below), you name it.</p><p>In the latter case an OAuth filter must enforce that the 3rd party client has been registered using the provided client key and that it has a valid access token which represents the end user's approval.</p><p>Letting both parties access the resource server via the same URI(s) complicates the life for the security filters but all the parties are only aware of the s
 ingle resource server URI which all of them will use.</p><p>Providing different access points to end users and clients may significantly simplify the authentication process - the possible downside is that multiple access points need to be maintained by the resource server.</p><p>Both options are discussed next.</p><h3 id="JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</h3><p>The first problem which needs to be addressed is how to distinguish end users from third-party clients and get both parties authenticated as required.<br clear="none"> Perhaps the simplest option is to extend a CXF OAuth2 filter (JAX-RS or servlet one), check Authorization header, if it is OAuth2 then delegate to the superclass, alternatively - proceed with authenticating the end users:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public class SecurityFilter extends org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter {
    @Context
    private HttpHeaders headers;
@@ -821,7 +821,7 @@ public class CalendarResource {
    }
 }
 </pre>
-</div></div><p>Let's assume that the 3rd party client has been allowed to read the public user Calendars at "/calendar/{id}" only, how to make sure that the client won't try to:<br clear="none"> 1. update the calendar available at the same path <br clear="none"> 2. read the private Calendars available at "/calendar/{id}/private"</p><p>As noted above, OAuthPermission has an optional URIs property. Thus one way to solve the problem with the private calendar is to add, say, a uri "/calendar/{id}" or "/calendar/1" (etc) property to OAuthPermission (representing a scope like "readCalendar") and the OAuth filter will make sure no subresources beyond "/calendar/{id}" can be accessed. Note, adding a "*" at the end of a given URI property, for example, "/a*" will let the client access "/a", "/a/b", etc.</p><p>Solving the problem with preventing the update can be easily solved by adding an httpVerb property to a given OAuthPermission.</p><p>One more option is to rely on the role-based access 
 control and have @RolesAllowed allocated such that only users in roles like "client" or "enduser" can invoke the getCalendar() method and let only those in the "enduser" role access getPrivateCalendar() and updateCalendar(). OAuthPermission can help here too as described in the section on using OAuth fiters.</p><h3 id="JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</h3><p>Rather than letting both the end users and 3rd party clients use the same URI such as "http://myapp.com/service/calendars/{id}", one may want to introduce two URIs, one for end users and one for third-party clients, for example, "http://myapp.com/service/calendars/{id}" - for endusers, "http://myapp.com/partners/calendars/{id}" - for the 3rd party clients and deploy 2 jaxrs endpoints, where one is protected by the security filter checking the end users, and the one - by OAuth filters.</p><p>Additionally the endpoint managing the 3rd party 
 clients will deploy a resource which will offer a resticted URI space support. For example, if the application will only allow 3rd party clients to read calendars then this resource will only have a method supporting @GET and "/calendar/{id}".</p><h2 id="JAX-RSOAuth2-SingleSignOn">Single Sign On</h2><p>When dealing with authenticating the end users, having an SSO solution in place is very handy. This is because the end user interacts with both the third-party and its resource server web applications and is also redirected from the client application to the resource server and back again. Additionally, the end user may need to authenticate with Authorization service if it is not collocated with the application endpoints. OpenID or say a WebBrowser SSO profile can help.</p><p>CXF 2.6.1 provides an initial support for a <a shape="rect" href="http://cxf.apache.org/docs/saml-web-sso.html">SAML2 SSO SP profile</a>. This will make it easier to minimize a number of sign ins to a single atte
 mpt and run OAuth2 Authorization servers separately from the application endpoints.</p><p>CXF 3.1.7 offers OpenId Connect RP support.</p></div>
+</div></div><p>Let's assume that the 3rd party client has been allowed to read the public user Calendars at "/calendar/{id}" only, how to make sure that the client won't try to:<br clear="none"> 1. update the calendar available at the same path <br clear="none"> 2. read the private Calendars available at "/calendar/{id}/private"</p><p>As noted above, OAuthPermission has an optional URIs property. Thus one way to solve the problem with the private calendar is to add, say, a uri "/calendar/{id}" or "/calendar/1" (etc) property to OAuthPermission (representing a scope like "readCalendar") and the OAuth filter will make sure no subresources beyond "/calendar/{id}" can be accessed. Note, adding a "*" at the end of a given URI property, for example, "/a*" will let the client access "/a", "/a/b", etc.</p><p>Solving the problem with preventing the update can be easily solved by adding an httpVerb property to a given OAuthPermission.</p><p>One more option is to rely on the role-based access 
 control and have @RolesAllowed allocated such that only users in roles like "client" or "enduser" can invoke the getCalendar() method and let only those in the "enduser" role access getPrivateCalendar() and updateCalendar(). OAuthPermission can help here too as described in the section on using OAuth fiters.</p><h3 id="JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</h3><p>Rather than letting both the end users and 3rd party clients use the same URI such as "http://myapp.com/service/calendars/{id}", one may want to introduce two URIs, one for end users and one for third-party clients, for example, "http://myapp.com/service/calendars/{id}" - for endusers, "http://myapp.com/partners/calendars/{id}" - for the 3rd party clients and deploy 2 jaxrs endpoints, where one is protected by the security filter checking the end users, and the one - by OAuth filters.</p><p>Additionally the endpoint managing the 3rd party 
 clients will deploy a resource which will offer a resticted URI space support. For example, if the application will only allow 3rd party clients to read calendars then this resource will only have a method supporting @GET and "/calendar/{id}".</p><h2 id="JAX-RSOAuth2-SingleSignOn">Single Sign On</h2><p>When dealing with authenticating the end users, having an SSO solution in place is very handy. This is because the end user interacts with both the third-party and its resource server web applications and is also redirected from the client application to the resource server and back again. Additionally, the end user may need to authenticate with Authorization service if it is not collocated with the application endpoints. OpenID or say a WebBrowser SSO profile can help.</p><p>CXF 2.6.1 provides an initial support for a <a shape="rect" href="http://cxf.apache.org/docs/saml-web-sso.html">SAML2 SSO SP profile</a>. This will make it easier to minimize a number of sign ins to a single atte
 mpt and run OAuth2 Authorization servers separately from the application endpoints.</p><p>CXF 3.1.7 offers <span class="confluence-link">&#160;</span><a shape="rect" href="jax-rs-oidc.html"><span class="confluence-link">OpenId Connect RP support</span></a>.</p></div>
            </div>
            <!-- Content -->
          </td>

Added: websites/production/cxf/content/docs/jax-rs-oidc.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oidc.html (added)
+++ websites/production/cxf/content/docs/jax-rs-oidc.html Thu May 26 15:47:38 2016
@@ -0,0 +1,157 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<html>
+  <head>
+
+<link type="text/css" rel="stylesheet" href="/resources/site.css">
+<script src='/resources/space.js'></script>
+
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework - JAX-RS OIDC">
+
+
+
+
+    <title>
+Apache CXF -- JAX-RS OIDC
+    </title>
+  </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+  <tr>
+    <td id="cell-0-0" colspan="2">&nbsp;</td>
+    <td id="cell-0-1">&nbsp;</td>
+    <td id="cell-0-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-1-0">&nbsp;</td>
+    <td id="cell-1-1">&nbsp;</td>
+    <td id="cell-1-2">
+      <!-- Banner -->
+<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
+</td></tr></table></div></div>
+      <!-- Banner -->
+      <div id="top-menu">
+        <table border="0" cellpadding="1" cellspacing="0" width="100%">
+          <tr>
+            <td>
+              <div align="left">
+                <!-- Breadcrumbs -->
+<a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="restful-services.html">RESTful Services</a>&nbsp;&gt;&nbsp;<a href="jax-rs.html">JAX-RS</a>&nbsp;&gt;&nbsp;<a href="jax-rs-oauth2.html">JAX-RS OAuth2</a>&nbsp;&gt;&nbsp;<a href="jax-rs-oidc.html">JAX-RS OIDC</a>
+                <!-- Breadcrumbs -->
+              </div>
+            </td>
+            <td>
+              <div align="right">
+                <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="http://cxf.apache.org/download.html">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
+                <!-- Quicklinks -->
+              </div>
+            </td>
+          </tr>
+        </table>
+      </div>
+    </td>
+    <td id="cell-1-3">&nbsp;</td>
+    <td id="cell-1-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-2-0" colspan="2">&nbsp;</td>
+    <td id="cell-2-1">
+      <table>
+        <tr valign="top">
+          <td height="100%">
+            <div id="wrapper-menu-page-right">
+              <div id="wrapper-menu-page-top">
+                <div id="wrapper-menu-page-bottom">
+                  <div id="menu-page">
+                    <!-- NavigationBar -->
+<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape
 ="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
+  <div>
+    <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+    <input type="hidden" name="ie" value="UTF-8">
+    <input type="text" name="q" size="21">
+    <input type="submit" name="sa" value="Search">
+  </div>
+</form>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script><hr><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API 3.1.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest-3.0.x/">API 3.0.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul></div>
+                    <!-- NavigationBar -->
+                  </div>
+              </div>
+            </div>
+          </div>
+         </td>
+         <td height="100%">
+           <!-- Content -->
+           <div class="wiki-content">
+<div id="ConfluenceContent"></div>
+           </div>
+           <!-- Content -->
+         </td>
+        </tr>
+      </table>
+   </td>
+   <td id="cell-2-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+   <td id="cell-3-0">&nbsp;</td>
+   <td id="cell-3-1">&nbsp;</td>
+   <td id="cell-3-2">
+     <div id="footer">
+       <!-- Footer -->
+       <div id="site-footer">
+         <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> - 
+         (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=63407087">edit page</a>) 
+	 (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=63407087&amp;showComments=true&amp;showCommentArea=true#addcomment">add comment</a>)<br>
+	Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
+        All other marks mentioned may be trademarks or registered trademarks of their respective owners.
+       </div>
+       <!-- Footer -->
+     </div>
+   </td>
+   <td id="cell-3-3">&nbsp;</td>
+   <td id="cell-3-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-4-0" colspan="2">&nbsp;</td>
+    <td id="cell-4-1">&nbsp;</td>
+    <td id="cell-4-2" colspan="2">&nbsp;</td>
+  </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
+document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+

Modified: websites/production/cxf/content/docs/jaxrs-oauth2-assertions.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-oauth2-assertions.html (original)
+++ websites/production/cxf/content/docs/jaxrs-oauth2-assertions.html Thu May 26 15:47:38 2016
@@ -118,11 +118,11 @@ Apache CXF -- JAXRS OAuth2 Assertions
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="JAXRSOAuth2Assertions-JAXRS:OAuth2Assertions">JAXRS: OAuth2 Assertions</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1449056823368 {padding: 0px;}
-div.rbtoc1449056823368 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1449056823368 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464277619371 {padding: 0px;}
+div.rbtoc1464277619371 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464277619371 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1449056823368">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464277619371">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSOAuth2Assertions-JAXRS:OAuth2Assertions">JAXRS: OAuth2 Assertions</a></li><li><a shape="rect" href="#JAXRSOAuth2Assertions-Introduction">Introduction</a></li><li><a shape="rect" href="#JAXRSOAuth2Assertions-SAML2Bearer">SAML2 Bearer</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSOAuth2Assertions-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAXRSOAuth2Assertions-AccessTokenGrant">Access Token Grant</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAXRSOAuth2Assertions-Clientcode">Client code</a></li><li><a shape="rect" href="#JAXRSOAuth2Assertions-AccessTokenService">Access Token Service</a></li></ul>
@@ -363,14 +363,14 @@ AccessTokenGrant accessTokenGrant = new
        
 ClientAccessToken at = OAuthClientUtils.getAccessToken(wc, accessTokenGrant);
 </pre>
-</div></div><p>&#160;</p><h1 id="JAXRSOAuth2Assertions-JWTBearer">JWT Bearer</h1><h2 id="JAXRSOAuth2Assertions-AccessTokenGrant.1">Access Token Grant</h2><p><a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc7523#section-2.1" rel="nofollow">This section</a> explains how JWT Bearer tokens can be used as token grants. The value of grant_type parameter is "urn:ietf:params:oauth:grant- type:jwt-bearer".</p><p>It is really just another grant type, but whose actual value is a JWT Token. The specification provides an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc7523#section-4" rel="nofollow">example</a> of how such an assertion may look like.</p><p>Here is how a request may look like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>&#160;</p><h1 id="JAXRSOAuth2Assertions-JWTBearer">JWT Bearer</h1><p>See <a shape="rect" href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+OAuth2#JAX-RSOAuth2-SAMLandJWTAssertions">this CXF OAuth2 section</a> for the information about the implementation details.</p><h2 id="JAXRSOAuth2Assertions-AccessTokenGrant.1">Access Token Grant</h2><p><a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc7523#section-2.1" rel="nofollow">This section</a> explains how JWT Bearer tokens can be used as token grants. The value of grant_type parameter is "urn:ietf:params:oauth:grant- type:jwt-bearer".</p><p>It is really just another grant type, but whose actual value is a JWT Token. The specification provides an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc7523#section-4" rel="nofollow">example</a> of how such an assertion may look like.</p><p>Here is how a request may look like:</p><div class="code panel pdl" style="bord
 er-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">POST /token HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 
 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&amp;
 assertion=X.Y.Z
 </pre>
-</div></div><h3 id="JAXRSOAuth2Assertions-Clientcode.1">Client code</h3><p>The following example shows how to use JWT Bearer token as a grant with CXF OAuth2 client code: TODO</p><h3 id="JAXRSOAuth2Assertions-AccessTokenService.2">Access Token Service</h3><p>Here is how one may configure the Access Token Service:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><h3 id="JAXRSOAuth2Assertions-Clientcode.1">Client code</h3><p>CXF BigQuery demo <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java#L75" rel="nofollow">shows</a> how a so called Google Service Client can prepare a signed JWT token and use JwtBearerGrant in order to issue a JWT Bearer grant request and get a new access token back. CXF WebClient is used in the demo code but OAuthClientUtils can also be used.</p><h3 id="JAXRSOAuth2Assertions-AccessTokenService.2">Access Token Service</h3><p>Here is how one may configure the Access Token Service:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="dataProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.OAuthDataProviderImpl"/&gt;
 &lt;bean id="jwtGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler"&gt;
   &lt;property name="dataProvider" ref="dataProvider"/&gt;
@@ -411,7 +411,7 @@ grant_type=authorization_code
 &amp;client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
 &amp;client_assertion=X.Y.Z
 </pre>
-</div></div><p>Note "client_assertion_type" with a value "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" indicates that the type of assertion used as an authentication token is "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", while the "client_assertion" parameter carries the actual value of the token.</p><h3 id="JAXRSOAuth2Assertions-ClientCode.1">Client Code</h3><p>The following example shows how to use JWT Bearer tokens as an authentication token: TODO</p><p>&#160;</p><h3 id="JAXRSOAuth2Assertions-AccessTokenService.3">Access Token Service</h3><p>Here is how one may configure Access Token Service:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>Note "client_assertion_type" with a value "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" indicates that the type of assertion used as an authentication token is "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", while the "client_assertion" parameter carries the actual value of the token.</p><h3 id="JAXRSOAuth2Assertions-ClientCode.1">Client Code</h3><p>Suppose the client is acting on behalf of itself to request a token, effectively using Client Credentials grant. In this case it will use <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerClientCredentialsGrant.java" rel="nofollow">JwtBearerClientCredentialsGrant</a>.</p><h3 id="JAXRSOAuth2Assertions-AccessTokenService.3">Access Token Service</h3><p>Here is how one may configure Access Token Service:</p><div class="code panel pdl" style="border-width: 1px;"><div cla
 ss="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="dataProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.OAuthDataProviderImpl"/&gt;
 &lt;bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/&gt;
 &lt;bean id="jwtAuthHandler" class="org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerAuthHandler"/&gt;



Mime
View raw message