cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r991192 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oidc.html
Date Wed, 22 Jun 2016 13:47:35 GMT
Author: buildbot
Date: Wed Jun 22 13:47:35 2016
New Revision: 991192

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oidc.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oidc.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oidc.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oidc.html Wed Jun 22 13:47:35 2016
@@ -117,15 +117,17 @@ Apache CXF -- JAX-RS OIDC
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1466599622984 {padding: 0px;}
-div.rbtoc1466599622984 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1466599622984 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1466603222938 {padding: 0px;}
+div.rbtoc1466603222938 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1466603222938 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1466599622984">
+/*]]>*/</style></p><div class="toc-macro rbtoc1466603222938">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOIDC-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</a></li><li><a
shape="rect" href="#JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-AuthenticationServices">Authentication
Services</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-AuthorizationCodeFlow">Authorization
Code Flow</a></li><li><a shape="rect" href="#JAX-RSOIDC-ImplicitFlow">Implicit
Flow</a></li><li><a shape="rect" href="#JAX-RSOIDC-HybridFlow">Hybrid
Flow</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</a></li><li><a
shape="rect" href="#JAX-RSOIDC-JWKKeysService">JWK Keys Service</a></li><li><a
shape="rect" href="#JAX-RSOIDC-FedizOIDC">Fediz OIDC</a></li><li><a
shape="rect" href="#JAX-RSOIDC-OIDCRPsupport">OIDC RP support</a></li><li><a
shape="rect" href="#JAX-RSOIDC-Demos">Demos</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</a></li><li><a
shape="rect" href="#JAX-RSOIDC-JWKKeysService">JWK Keys Service</a></li><li><a
shape="rect" href="#JAX-RSOIDC-FedizOIDCProvider">Fediz OIDC Provider</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSOIDC-OIDCRPsupport">OIDC RP support</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-Demos">Demos</a></li></ul>
 </li></ul>
 </div><h1 id="JAX-RSOIDC-Introduction">Introduction</h1><p><a
shape="rect" class="external-link" href="http://openid.net/connect/" rel="nofollow">OpenId
Connect</a> (OIDC) is an identity layer built on top of the OAuth2 protocol.</p><p>When
the user authentication is required the client application initiates one of <a shape="rect"
class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC
Core</a> flows and redirects this user to OIDC provider. The user gets redirected back
to the client after the authentication, with the client application receiving <a shape="rect"
class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
rel="nofollow">IdToken</a>. If <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth"
rel="nofollow">Authorization Code Flow</a> is used then IdToken is returned as part
of the follow up <a shape="rect" class="external-link" href="http
 ://openid.net/specs/openid-connect-core-1_0.html#TokenResponse" rel="nofollow">code to
access token exchange</a>, and if <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth"
rel="nofollow">Implicit Flow</a> is used then IdToken is returned <a shape="rect"
class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse"
rel="nofollow">immediately</a>.&#160; It is very much like OAuth2 except that
an extra IdToken parameter is returned.</p><p>CXF ships OIDC Provider (IDP) and
Relying Party (RP) utility code to make it easy for developers to create their own custom
OIDC providers or have JAX-RS applications integrated with well-known 3rd party OIDC IDPs.</p><p>This
code relies heavily on <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html">CXF
OAuth2</a> and <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF
JOSE</a> modules.</p><h1 id="JAX-RSOIDC-Mave
 nDependencies">Maven Dependencies</h1><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF
OIDC module</b></div><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;dependency&gt;
@@ -133,7 +135,7 @@ div.rbtoc1466599622984 li {margin-left:
     &lt;artifactId&gt;cxf-rt-rs-security-sso-oidc&lt;/artifactId&gt;
     &lt;version&gt;3.1.7&lt;/version&gt;
 &lt;/dependency&gt;</pre>
-</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a
shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides
a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a>
which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a>
and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a>
by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java"
rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
 <p>One way to populate it is to register a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java"
rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService.
For example, Fediz OIDC uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java"
rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared
by Fediz Authenticators and creates IdToken by converting an already available SAML token
to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a>. In other cases a us
 er principal may already have a prepared IdToken.&#160;</p><p>The other approach
is to create IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom
OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this
case IdToken will need to be populated first and then converted to either JWS or JWE sequence
and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant
property at the moment the grant is persisted, if it is the implicit flow - set it as a token
property at the moment the token is persisted. This approach is a bit more involved but creating
a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF
JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way
IdToken is created is container/implementation specific. Creating IdToken is the main requirement
for integrating CXF OIDC code w
 ith the 3rd party container.</p><p>Finally, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java"
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140"
rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">IdTokenProvider</a> to create IdToken at the moment it needs to be
returned to the client application.&#160;</p>
 <p>IdToken can provide enough information for the client application to work with the
current user. However, the client can get more information about the user from OIDC <a
shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo"
rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides&#160;<span
class="pl-smi">&#160;</span><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java"
rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a>
One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or let CXF
OIDCUserInfo service create it as described below.</p><h1
  id="JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC
IDP code provides JAX-RS services for supporting OIDC <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization
Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth"
rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth"
rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all
OIDC response types</a>.</p><p>Services for supporting <a shape="rect"
class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo"
rel="nofollow">UserInfo requests</a> and returning IdToken <a shape="rect" class="external-link"
href="http:
 //openid.net/specs/openid-connect-core-1_0.html#Signing" rel="nofollow">signature verification
keys</a> are also shipped.&#160;</p><h2 id="JAX-RSOIDC-AuthenticationServices">Authentication
Services</h2><h3 id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java"
rel="nofollow">OidcAuthorizationCodeService</a> and <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
provides a support OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth"
rel="nofollow">Authorization Code</a> flow.&#160;<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAut
 horizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a> is a
simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a>
extension which enforces OIDC specific constraints.&#160;</p><p><a shape="rect"
class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java"
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>)
is where IdToken is actually added to the client response.</p><h3 id="JAX-RSOIDC-ImplicitFlow">Implicit
Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java"
rel="nofollow">OidcImplicitService</a> is a
  simple ImplicitGrantService extension which enforces OIDC specific constraints and also
adds IdToken is actually added to the client response.</p><h3 id="JAX-RSOIDC-HybridFlow">Hybrid
Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java"
rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both <a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java"
rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java"
rel="nofollow">OidcAuthorizationCodeService</a>.</p><h2 id="JAX-RSOIDC-UserInfoEndpoint">UserInfo
Endpoint</h2><
 p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java"
rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect"
class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing
IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java"
rel="nofollow">UserInfoService</a> 
 is accessed by a client which uses the access token issued to it during the user authentication
process. Therefore <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java#L48"
rel="nofollow">this line</a> enforces it - it will fail if the access token has not
been successfully <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">validated</a>.</p><h2
id="JAX-RSOIDC-JWKKeysService">JWK Keys Service</h2><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java"
rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public verification
JWK key. By default only a public key is returned by the service can be configured for JWK
key to include the corresponding&#16
 0; X509 certificate chain too.&#160; Use this service if IdToken is signed by a private
RSA or EC key for the client be able to fetch the verification keys without having to import
them into local key stores.</p><h2 id="JAX-RSOIDC-FedizOIDC">Fediz OIDC</h2><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc"
rel="nofollow">Fediz OIDC</a> provides a reference integration between CXF OIDC IDP
code and its authentication system. It has <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html"
rel="nofollow">OIDC Core</a> supported with a minimum amount of code and configuration.</p><h2
id="JAX-RSOIDC-OIDCRPsupport">OIDC RP support</h2><h2 id="JAX-RSOIDC-Demos">Demos</h2><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query"
rel="nofollow">BigQuery</a> <a shape="rect" class="external-link" href="https:/
 /github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java"
rel="nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code
to support interacting with the user, redirecting the user to Google to authenticate, and
validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC
Authorization Code Flow). The demo service uses IdToken to address the user correctly and
the access token to access the user's resources as authorized by the user.</p><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc"
rel="nofollow">BasicOidc</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java"
rel="nofollow">demo service</a> is not an OAuth2 
 client, but a basic JAX-RS server. This server works with an HTTP Browser client which uses
Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit
flow). This browser client interacts with CXF OIDC RP code to get IdToken validated and then
posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken
easily accessible in its code</p><p>&#160;</p><p>&#160;</p></div>
+</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a
shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides
a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a>
which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a>
and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a>
by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java"
rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
 <p>One way to populate it is to register a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java"
rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService.
For example, Fediz OIDC uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java"
rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared
by Fediz Authenticators and creates IdToken by converting an already available SAML token
to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a>. In other cases a us
 er principal may already have a prepared IdToken.&#160;</p><p>The other approach
is to create IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom
OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this
case IdToken will need to be populated first and then converted to either JWS or JWE sequence
and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant
property at the moment the grant is persisted, if it is the implicit flow - set it as a token
property at the moment the token is persisted. This approach is a bit more involved but creating
a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF
JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way
IdToken is created is container/implementation specific. Creating IdToken is the main requirement
for integrating CXF OIDC code w
 ith the 3rd party container.</p><p>Finally, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java"
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140"
rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">IdTokenProvider</a> to create IdToken at the moment it needs to be
returned to the client application.&#160;</p>
 <p>IdToken can provide enough information for the client application to work with the
current user. However, the client can get more information about the user from OIDC <a
shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo"
rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides&#160;<span
class="pl-smi">&#160;</span><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java"
rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a>
One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or let CXF
OIDCUserInfo service create it as described below.</p><h1
  id="JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC
IDP code provides JAX-RS services for supporting OIDC <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization
Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth"
rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth"
rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all
OIDC response types</a>.</p><p>Services for supporting <a shape="rect"
class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo"
rel="nofollow">UserInfo requests</a> and returning IdToken <a shape="rect" class="external-link"
href="http:
 //openid.net/specs/openid-connect-core-1_0.html#Signing" rel="nofollow">signature verification
keys</a> are also shipped.&#160;</p><h2 id="JAX-RSOIDC-AuthenticationServices">Authentication
Services</h2><h3 id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java"
rel="nofollow">OidcAuthorizationCodeService</a> and <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
provides a support OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth"
rel="nofollow">Authorization Code</a> flow.&#160;<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAut
 horizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a> is a
simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a>
extension which enforces OIDC specific constraints. For example, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L44"
rel="nofollow">see this line</a>.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java"
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>)
is where IdToken is actually added to the client response. For example, see <a shape="rect"
class="external-link" href="https://github.com/apache/
 cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L181"
rel="nofollow">this line</a>.</p><h3 id="JAX-RSOIDC-ImplicitFlow">Implicit
Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java"
rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService extension
which enforces OIDC specific constraints and also adds IdToken is actually added to the client
response. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L54"
rel="nofollow">this line</a> (Note on this case Implicit Flow is supported due to
OidcHybridService extending OidcImplicitService).</p><h3 id="JAX-RSOIDC-HybridFlow">Hybrid
Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt
 /rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java"
rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both <a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java"
rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java"
rel="nofollow">OidcAuthorizationCodeService</a>. For example, see <a shape="rect"
class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L54"
rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-UserInfoEndpoint">UserInfo
Endpoint</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob
 /master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java"
rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect"
class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing
IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java"
rel="nofollow">UserInfoService</a> is accessed by a client which uses the access
token issued to it during the user
  authentication process. Therefore <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java#L48"
rel="nofollow">this line</a> enforces it - it will fail if the access token has not
been successfully <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">validated</a>.
For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L112"
rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-JWKKeysService">JWK
Keys Service</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java"
rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public verification
J
 WK key. By default only a public key is returned by the service can be configured for JWK
key to include the corresponding&#160; X509 certificate chain too.&#160; Use this
service if IdToken is signed by a private RSA or EC key for the client be able to fetch the
verification keys without having to import them into local key stores.</p><p>For
example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L89"
rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-FedizOIDCProvider">Fediz
OIDC Provider</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc"
rel="nofollow">Fediz OIDC</a> project provides a reference integration between CXF
OIDC IDP code and its authentication system. It has <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a>
supported with
  a minimum amount of code and configuration.</p><p>It creates IdToken in a custom
<a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java"
rel="nofollow">SubjectCreator</a> as described above. Currently it depends one CXF
Ehcache <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47"
rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is needed.
Beside that it provides a support for managing the client registrations. It registers OIDC
services as JAX-RS endpoints.</p><p>While some implementation details may change
going forward (example, the alternative data provider may get introduced, etc), for the most
part it shows that creating IdToken is what is really needed to get the container integrated
with the CXF OIDC code.</p><h1 id="JAX-RSOIDC-OIDCRP
 support">OIDC RP support</h1><p>OIDC RP client support is needed for the client
application to redirect a user to OIDC IDP, get IdToken and validate it, optionally get UserInfo,
and make both IdToken and UserInfo easily accessible to the client application code for it
to be able to interact with the user.</p><h2 id="JAX-RSOIDC-Demos">Demos</h2><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query"
rel="nofollow">BigQuery</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java"
rel="nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code
to support interacting with the user, redirecting the user to Google to authenticate, and
validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC
Authorization Cod
 e Flow). The demo service uses IdToken to address the user correctly and the access token
to access the user's resources as authorized by the user.</p><p>For example, the
context is <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L51"
rel="nofollow">injected</a> and used to get <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68"
rel="nofollow">the access token</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75"
rel="nofollow">the user info</a>. See <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distributi
 on/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70"
rel="nofollow">the context</a> with the comments on how to configure RP filters.</p><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc"
rel="nofollow">BasicOidc</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java"
rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS server.
This server works with an HTTP Browser client which uses Google script libraries to get IdToken
from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client interacts
with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service.
Demo service depends on CXF OIDC RP to have this IdToken easily accessible in it
 s code</p><p>&#160;</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message