cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r991249 - in /websites/production/cxf/content: cache/docs.pageCache cache/main.pageCache docs/jax-rs-oidc.html fediz-oidc.html
Date Thu, 23 Jun 2016 10:47:35 GMT
Author: buildbot
Date: Thu Jun 23 10:47:35 2016
New Revision: 991249

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/docs/jax-rs-oidc.html
    websites/production/cxf/content/fediz-oidc.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oidc.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oidc.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oidc.html Thu Jun 23 10:47:35 2016
@@ -117,16 +117,16 @@ Apache CXF -- JAX-RS OIDC
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1466675219296 {padding: 0px;}
-div.rbtoc1466675219296 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1466675219296 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1466678819847 {padding: 0px;}
+div.rbtoc1466678819847 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1466678819847 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1466675219296">
+/*]]>*/</style></p><div class="toc-macro rbtoc1466678819847">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOIDC-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</a></li><li><a shape="rect" href="#JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</a>
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-AuthenticationServices">Authentication Services</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</a></li><li><a shape="rect" href="#JAX-RSOIDC-ImplicitFlow">Implicit Flow</a></li><li><a shape="rect" href="#JAX-RSOIDC-HybridFlow">Hybrid Flow</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</a></li><li><a shape="rect" href="#JAX-RSOIDC-JWKKeysService">JWK Keys Service</a></li><li><a shape="rect" href="#JAX-RSOIDC-FedizOIDCProvider">Fediz OIDC Provider</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSOIDC-OIDCRPsupport">OIDC RP support</a>
+</li><li><a shape="rect" href="#JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</a></li><li><a shape="rect" href="#JAX-RSOIDC-JWKKeysService">JWK Keys Service</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSOIDC-FedizOIDCIDP">Fediz OIDC IDP</a></li><li><a shape="rect" href="#JAX-RSOIDC-OIDCRPsupport">OIDC RP support</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-Demos">Demos</a></li></ul>
 </li></ul>
 </div><h1 id="JAX-RSOIDC-Introduction">Introduction</h1><p><a shape="rect" class="external-link" href="http://openid.net/connect/" rel="nofollow">OpenId Connect</a> (OIDC) is an identity layer built on top of the OAuth2 protocol.</p><p>When the user authentication is required the client application initiates one of <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> flows and redirects this user to OIDC provider. The user gets redirected back to the client after the authentication, with the client application receiving <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a>. If <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code Flow</a> is used then IdToken is returned as part of the follow up <a shape="rect" class="external-link" href="http
 ://openid.net/specs/openid-connect-core-1_0.html#TokenResponse" rel="nofollow">code to access token exchange</a>, and if <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit Flow</a> is used then IdToken is returned <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse" rel="nofollow">immediately</a>.&#160; It is very much like OAuth2 except that an extra IdToken parameter is returned.</p><p>CXF ships OIDC Provider (IDP) and Relying Party (RP) utility code to make it easy for developers to create their own custom OIDC providers or have JAX-RS applications integrated with well-known 3rd party OIDC IDPs.</p><p>This code relies heavily on <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html">CXF OAuth2</a> and <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> modules.</p><h1 id="JAX-RSOIDC-Mave
 nDependencies">Maven Dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF OIDC module</b></div><div class="codeContent panelContent pdl">
@@ -135,7 +135,7 @@ div.rbtoc1466675219296 li {margin-left:
     &lt;artifactId&gt;cxf-rt-rs-security-sso-oidc&lt;/artifactId&gt;
     &lt;version&gt;3.1.7&lt;/version&gt;
 &lt;/dependency&gt;</pre>
-</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a> which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a> and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a> by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
 <p>One way to populate it is to register a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java" rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService. For example, <a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared by Fediz Authenticators and creates IdToken by converting an already available SAML token to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSub
 ject.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal may already have a prepared IdToken.&#160;</p><p>The other approach is to create IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this case IdToken will need to be populated first and then converted to either JWS or JWE sequence and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant property at the moment the grant is persisted, if it is the implicit flow - set it as a token property at the moment the token is persisted. This approach is a bit more involved but creating a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way IdToken is created is container/implementation specific. Creati
 ng IdToken is the main requirement for integrating CXF OIDC code with the 3rd party container.</p><p>Finally, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140" rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> to create IdToken at the m
 oment it needs to be returned to the client application.&#160;</p><p>IdToken can provide enough information for the client application to work with the current user. However, the client can get more information about the user from OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides&#160;<span class="pl-smi">&#160;</span><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a> One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or
  let CXF OIDCUserInfo service create it as described below.</p><h1 id="JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC IDP code provides JAX-RS services for supporting OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth" rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all OIDC response types</a>.</p><p>Services for supporting <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo requests</a> and r
 eturning IdToken <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Signing" rel="nofollow">signature verification keys</a> are also shipped.&#160;</p><h2 id="JAX-RSOIDC-AuthenticationServices">Authentication Services</h2><h3 id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a> extension which enforces OIDC specific constraints. It can be registered <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L44" rel="nofollow">like this</a>.</p>
 <p>This service issues a code grant, while&#160;<a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> returns Access and Id tokens.&#160;</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>) is where IdToken is actually added to the client response. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L181" rel="nofollow">this line</a>.</p><h3 id="JAX-RSOIDC-ImplicitFlow">Implicit Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/securi
 ty/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService extension which enforces OIDC specific constraints and adds IdToken to the client response. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L54" rel="nofollow">this line</a> (Note in this case Implicit Flow is supported due to OidcHybridService extending OidcImplicitService but OidcImplicitService can be registered directly).</p><h3 id="JAX-RSOIDC-HybridFlow">Hybrid Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java" rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both <a shape="rect" class="external-link" href="https://github.com/apache/
 cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a>. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L54" rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/
 master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> is accessed by a client which uses the access token issued to it during the user authentication process. Therefore <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java#L48" rel="nofollow">this line<
 /a> enforces it - it will fail if the access token has not been successfully <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">validated</a>. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L112" rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-JWKKeysService">JWK Keys Service</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java" rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public verification JWK key. By default only a public key is returned but the service can also be configured for JWK key to include the corresponding&#160; X509 certificate chain too.&#160; Use this service if IdToken is signed by a private RSA or EC key for the clie
 nt be able to fetch the verification keys without having to import them into local key stores.</p><p>For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L89" rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-FedizOIDCProvider">Fediz OIDC Provider</h2><p><a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> project provides a reference integration between CXF OIDC IDP code and Fediz Authentication System. It has <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> supported with a minimum amount of code and configuration.</p><p>It creates IdToken in a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">SubjectCreator</a> as
  described above. Currently it depends on CXF Ehcache <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47" rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is needed. Besides that it provides a support for managing the client registrations. It registers OIDC services as JAX-RS endpoints.</p><p>While some implementation details may change going forward (example, the alternative data provider may get introduced, etc), for the most part it shows that creating IdToken is what is really needed to get the container integrated with the CXF OIDC code.</p><h1 id="JAX-RSOIDC-OIDCRPsupport">OIDC RP support</h1><p>OIDC RP client support is needed for the client application to redirect a user to OIDC IDP, get and validate IdToken, optionally get UserInfo, and make both IdToken and UserInfo easily accessible to the client application code.</p><h2 id="JAX-RSOIDC-Demos">Demos</h2
 ><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query" rel="nofollow">BigQuery</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java" rel="nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code to support interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.</p><p>For example, the context is <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jax
 rs/server/BigQueryService.java#L51" rel="nofollow">injected</a> and used to get <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68" rel="nofollow">the access token</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75" rel="nofollow">the user info</a>. See <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70" rel="nofollow">the context</a> with the comments on how to configure RP filters.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc" rel="nofollow">Bas
 icOidc</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java" rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS server. This server works with an HTTP Browser client which uses Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in its code</p><p>&#160;</p><p>&#160;</p></div>
+</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a> which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a> and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a> by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
 <p>One way to populate it is to register a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java" rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService. For example, <a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared by Fediz Authenticators and creates IdToken by converting an already available SAML token to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSub
 ject.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal may already have a prepared IdToken.&#160;</p><p>The other approach is to create IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this case IdToken will need to be populated first and then converted to either JWS or JWE sequence and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant property at the moment the grant is persisted, if it is the implicit flow - set it as a token property at the moment the token is persisted. This approach is a bit more involved but creating a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way IdToken is created is container/implementation specific. Creati
 ng IdToken is the main requirement for integrating CXF OIDC code with the 3rd party container.</p><p>Finally, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140" rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> to create IdToken at the m
 oment it needs to be returned to the client application.&#160;</p><p>IdToken can provide enough information for the client application to work with the current user. However, the client can get more information about the user from OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides&#160;<span class="pl-smi">&#160;</span><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a> One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or
  let CXF OIDCUserInfo service create it as described below.</p><h1 id="JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC IDP code provides JAX-RS services for supporting OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth" rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all OIDC response types</a>.</p><p>Services for supporting <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo requests</a> and r
 eturning IdToken <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Signing" rel="nofollow">signature verification keys</a> are also shipped.&#160;</p><h2 id="JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</h2><h3 id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a> extension which enforces OIDC specific constraints. It can be registered <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L44" rel="nofollow">like this</a>.</p><p>This ser
 vice issues a code grant, while&#160;<a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> returns Access and Id tokens.&#160;</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>) is where IdToken is actually added to the client response. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L181" rel="nofollow">this line</a>.</p><h3 id="JAX-RSOIDC-ImplicitFlow">Implicit Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc
 /src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService extension which enforces OIDC specific constraints and adds IdToken to the client response. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L54" rel="nofollow">this line</a> (Note in this case Implicit Flow is supported due to OidcHybridService extending OidcImplicitService but OidcImplicitService can be registered directly).</p><h3 id="JAX-RSOIDC-HybridFlow">Hybrid Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java" rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/ma
 ster/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a>. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L54" rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/r
 s/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> is accessed by a client which uses the access token issued to it during the user authentication process. Therefore <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java#L48" rel="nofollow">this line</a> enforce
 s it - it will fail if the access token has not been successfully <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">validated</a>. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L112" rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-JWKKeysService">JWK Keys Service</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java" rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public verification JWK key. By default only a public key is returned but the service can also be configured for JWK key to include the corresponding&#160; X509 certificate chain too.&#160; Use this service if IdToken is signed by a private RSA or EC key for the client be able 
 to fetch the verification keys without having to import them into local key stores.</p><p>For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L89" rel="nofollow">this line</a>.</p><h1 id="JAX-RSOIDC-FedizOIDCIDP">Fediz OIDC IDP</h1><p><a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> project provides a reference integration between CXF OIDC IDP code and Fediz Authentication System. It has <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> supported with a minimum amount of code and configuration.</p><p>It creates IdToken in a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">SubjectCreator</a> as described above. Cur
 rently it depends on CXF Ehcache <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47" rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is needed. Besides that it provides a support for managing the client registrations. It registers OIDC services as JAX-RS endpoints.</p><p>While some implementation details may change going forward (example, the alternative data provider may get introduced, etc), for the most part it shows that creating IdToken is what is really needed to get the container integrated with the CXF OIDC code.</p><h1 id="JAX-RSOIDC-OIDCRPsupport">OIDC RP support</h1><p>OIDC RP client support is needed for the client application to redirect a user to OIDC IDP, get and validate IdToken, optionally get UserInfo, and make both IdToken and UserInfo easily accessible to the client application code.</p><h2 id="JAX-RSOIDC-Demos">Demos</h2><p><a shape="rect" c
 lass="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query" rel="nofollow">BigQuery</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java" rel="nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code to support interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.</p><p>For example, the context is <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQuerySer
 vice.java#L51" rel="nofollow">injected</a> and used to get <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68" rel="nofollow">the access token</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75" rel="nofollow">the user info</a>. See <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70" rel="nofollow">the context</a> with the comments on how to configure RP filters.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc" rel="nofollow">BasicOidc</a> <a shape="
 rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java" rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS server. This server works with an HTTP Browser client which uses Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in its code</p><p>&#160;</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>

Modified: websites/production/cxf/content/fediz-oidc.html
==============================================================================
--- websites/production/cxf/content/fediz-oidc.html (original)
+++ websites/production/cxf/content/fediz-oidc.html Thu Jun 23 10:47:35 2016
@@ -100,15 +100,15 @@ Apache CXF -- Fediz OIDC
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1466610419679 {padding: 0px;}
-div.rbtoc1466610419679 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1466610419679 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1466678819844 {padding: 0px;}
+div.rbtoc1466678819844 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1466678819844 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1466610419679">
+/*]]>*/</style></p><div class="toc-macro rbtoc1466678819844">
 <ul class="toc-indentation"><li><a shape="rect" href="#FedizOIDC-Introduction">Introduction</a></li><li><a shape="rect" href="#FedizOIDC-UserAuthentication">User Authentication</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#FedizOIDC-TrustedProviders">Trusted Providers</a></li></ul>
-</li><li><a shape="rect" href="#FedizOIDC-DataPersistence">Data Persistence</a></li><li><a shape="rect" href="#FedizOIDC-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#FedizOIDC-OIDCServices">OIDC Services</a></li><li><a shape="rect" href="#FedizOIDC-Deployment">Deployment</a></li></ul>
-</div><h1 id="FedizOIDC-Introduction">Introduction</h1><p><a shape="rect" class="external-link" href="http://openid.net/connect/" rel="nofollow">OpenId Connect</a> (OIDC) is an identity layer built on top of the OAuth2 protocol.</p><p>When a user authentication is required the client application initiates one of <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> flows and redirects this user to OIDC provider. The user gets redirected back to the client after the authentication, with the client application receiving <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a>. If <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code Flow</a> is used then IdToken is returned as part of the follow up <a shape="rect" class="external-link" href="http://
 openid.net/specs/openid-connect-core-1_0.html#TokenResponse" rel="nofollow">code to access token exchange</a>, and if <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit Flow</a> is used then IdToken is returned <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse" rel="nofollow">immediately</a>.&#160; It is very much like OAuth2 except that an extra IdToken parameter is returned.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> provides an implementation of <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> by integrating <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oidc.html">CXF OIDC IDP</a> with Fediz Authentication System. It is available starting fro
 m Fediz 1.3.0.</p><p>This project is a work in progress. &#160;</p><h1 id="FedizOIDC-UserAuthentication">User Authentication</h1><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> is currently implemented as a Fediz WS-Federation RP web application. When Fediz OIDC is accessed by a user, Fediz WS-Fed Authenticator will redirect a user to Fediz WS-Fed IDP to complete the authentication process. The fact WS-Fed is used during this process is transparent to the user. Note&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> itself is completely agnostic to the way the authentication is done - all it needs is for Fediz to provide it an authenticated principal for it to support its OIDC flows.</p><p>Future major releases of Fediz will optimize and improve this process by bringing&#160; <a shape="rect" class="exte
 rnal-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> much closer to the core Fediz Authentication System thus avoiding an internal WS-Fed flow completely.</p><h2 id="FedizOIDC-TrustedProviders">Trusted Providers</h2><p>Fediz provides a comprehensive support for delegating the user authentication to trusted providers. Such providers can support SAML, WS-Fed or OpenId Connect protocols. Thus <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> users can be authenticated locally or redirected further to registered authentication providers. This is achieved by assigning <strong>home realms </strong>to <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> client registrations.&#160;</p><h1 id="FedizOIDC-DataPersistence">Data Persistence</h1><h1 id="FedizOIDC-ClientReg
 istration">Client Registration</h1><h1 id="FedizOIDC-OIDCServices">OIDC Services</h1><h1 id="FedizOIDC-Deployment">Deployment</h1><p>Drop fediz-oidc.war into a Tomcat container hosting the core Fediz IDP service.&#160;</p><p>&#160;</p><p>&#160;</p><p>&#160;</p></div>
+</li><li><a shape="rect" href="#FedizOIDC-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#FedizOIDC-OIDCServices">OIDC Services</a></li><li><a shape="rect" href="#FedizOIDC-IdToken">IdToken</a></li><li><a shape="rect" href="#FedizOIDC-DataPersistence">Data Persistence</a></li><li><a shape="rect" href="#FedizOIDC-Deployment">Deployment</a></li></ul>
+</div><h1 id="FedizOIDC-Introduction">Introduction</h1><p><a shape="rect" class="external-link" href="http://openid.net/connect/" rel="nofollow">OpenId Connect</a> (OIDC) is an identity layer built on top of the OAuth2 protocol.</p><p>When a user authentication is required the client application initiates one of <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> flows and redirects this user to OIDC provider. The user gets redirected back to the client after the authentication, with the client application receiving <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a>. If <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code Flow</a> is used then IdToken is returned as part of the follow up <a shape="rect" class="external-link" href="http://
 openid.net/specs/openid-connect-core-1_0.html#TokenResponse" rel="nofollow">code to access token exchange</a>, and if <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit Flow</a> is used then IdToken is returned <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse" rel="nofollow">immediately</a>.&#160; It is very much like OAuth2 except that an extra IdToken parameter is returned.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> provides an implementation of <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> by integrating <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oidc.html">CXF OIDC IDP</a> with Fediz Authentication System.</p><p>It is available starti
 ng from Fediz 1.3.0 and is a work in progress.&#160;</p><p>Please review <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oidc.html">CXF OIDC IDP</a>, <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html">CXF OAuth2</a> and <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> to get a better understanding of how <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> has been implemented.</p><h1 id="FedizOIDC-UserAuthentication">User Authentication</h1><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> is currently implemented as a Fediz WS-Federation RP web application. When Fediz OIDC is accessed by a user, Fediz WS-Fed Authenticator will redirect a user to Fediz WS-Fed IDP to complete the authentication process. The fact WS-Fed is used during this process is transp
 arent to the user. Note&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> itself is completely agnostic to the way the authentication is done - all it needs is for Fediz to provide it an authenticated principal for it to support its OIDC flows.</p><p>Future major Fediz releases will optimize and improve this process by bringing&#160; <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> much closer to the core Fediz Authentication System thus avoiding an internal WS-Fed flow completely.</p><h2 id="FedizOIDC-TrustedProviders">Trusted Providers</h2><p>Fediz provides a comprehensive support for delegating the user authentication to trusted providers. Such providers can support SAML, WS-Fed or OpenId Connect protocols. Thus <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/
 services/oidc" rel="nofollow">Fediz OIDC</a> users can be authenticated locally or redirected further to registered authentication providers. This is achieved by assigning <strong>home realms </strong>to <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> client registrations.&#160;</p><h1 id="FedizOIDC-ClientRegistration">Client Registration</h1><p>OIDC client applications can be registered with ClientRegistrationService. At the moment one can register confidential or public clients, set redirect URIs and restrict the clients with audience URIs.</p><h1 id="FedizOIDC-OIDCServices">OIDC Services</h1><p>Effectively <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> is a complete OAuth2 server which supports all standard OIDC Core flows. It has JAX-RS service endpoints for supporting <a shape="rect" class="external-li
 nk" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth" rel="nofollow">Hybrid</a> flows and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all OIDC response types</a>.&#160;</p><p>Services for supporting <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo requests</a> and returning IdToken <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Signing" rel="nofollow">signature verification keys</a> are also enabled.&#160;</p><p>OAuth2 AccessTokenService is also required 
 to complete <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code</a> or <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth" rel="nofollow">Hybrid</a> flows.</p><p>Note even though <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/tree/master/services/oidc" rel="nofollow">Fediz OIDC</a> is an OpenId Connect server, the availability of OAuth2 AccessTokenService allows for supporting of non-OIDC OAuth2 grants such as Client Credentials or other custom grants.</p><p>To provide all these service endpoints Fediz OIDC simply registers <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oidc.html#JAX-RSOIDC-OIDCIDPsupport">OIDC Services</a> implemented by CXF OIDC in this <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applica
 tionContext.xml" rel="nofollow">context</a>.</p><h1 id="FedizOIDC-IdToken">IdToken</h1><p><a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a> is populated in this <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">SubjectCreator</a> where an existing SAML assertion representing an authenticated user is converted to IdToken. The token is signed at the moment it is returned to the client, either in OAuth2 IdTokenResponseFilter (used by AccessTokenService) or in OidcImplicitService.</p><h1 id="FedizOIDC-DataPersistence">Data Persistence</h1><p>Fediz OIDC needs to persist client registrations, user subjects, grants, access token and refresh tokens. Currently it uses CXF&#160;<span class="pl-s">DefaultEHCacheCodeDataProvider<span class="pl-pds"> and as such it </span
 ></span>does not have its own code for managing the data persistence.</p><h1 id="FedizOIDC-Deployment">Deployment</h1><p>Drop fediz-oidc.war into a Tomcat container hosting the core Fediz IDP service.&#160;</p><p>&#160;</p><p>&#160;</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message