cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r991252 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html docs/jax-rs-oidc.html
Date Thu, 23 Jun 2016 11:47:35 GMT
Author: buildbot
Date: Thu Jun 23 11:47:35 2016
New Revision: 991252

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html
    websites/production/cxf/content/docs/jax-rs-oidc.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu Jun 23 11:47:35 2016
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1466596018819 {padding: 0px;}
-div.rbtoc1466596018819 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1466596018819 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1466682418597 {padding: 0px;}
+div.rbtoc1466682418597 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1466682418597 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1466596018819">
+/*]]>*/</style></p><div class="toc-macro rbtoc1466682418597">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization View</a></li><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
@@ -138,7 +138,9 @@ div.rbtoc1466596018819 li {margin-left:
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SAMLandJWTAssertions">SAML and JWT Assertions</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse Filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</a></li><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-DefaultProviders">Default Providers</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS endpoints</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS endpoints</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationCodeandImplicitServicesonthesamerelativepath">AuthorizationCode and Implicit Services on the same relative path</a></li></ul>
+</li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client Authentication</a></li><li><a shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-Keepingthestateinthesession">Keeping the state in the session</a></li><li><a shape="rect" href="#JAX-RSOAuth2-MultipleFactorVerification">Multiple Factor Verification</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End User Subject initialization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</a>
@@ -394,21 +396,53 @@ ModelEncryptionSupport.decryptAccessToke
   &lt;/jaxrs:serviceBeans&gt;
 &lt;/jaxrs:server&gt;
 </pre>
-</div></div><p>The absolute address of AccessTokenValidateService would be something like "http://localhost:8080/services/oauth/validate".</p><p>AuthorizationCodeGrantService is easier to put where the application endpoints are. It can be put alongside AccessTokenService, but ideally an SSO based authentication solution will be also be deployed, for the end user to avoid signing in separately several times (see more in it below). Here is an example of AuthorizationCodeGrantService being collocated with the application endpoint:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The absolute address of AccessTokenValidateService would be something like "http://localhost:8080/services/oauth/validate".</p><p>AuthorizationCodeGrantService is easier to put where the application endpoints are. It can be put alongside AccessTokenService, but ideally an SSO based authentication solution will be also be deployed, for the end user to avoid signing in separately several times (see more in it below). Here is an example of AuthorizationCodeGrantService and ImplicitGrantService being collocated with the application endpoint:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"&gt;
   &lt;property name="dataProvider" ref="oauthProvider"/&gt;
 &lt;/bean&gt;
 
-&lt;bean id="myApp" class="org.myapp.MyApp"/&gt;
+&lt;bean id="implicitService" class="org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService"&gt;
+  &lt;property name="dataProvider" ref="oauthProvider"/&gt;
+&lt;/bean&gt;
+
+&lt;bean id="jaxrsService" class="org.myapp.MyService"/&gt;
 
 &lt;jaxrs:server id="appServer" address="/myapp"&gt;
    &lt;jaxrs:serviceBeans&gt;
-      &lt;ref bean="myApp"/&gt;
+      &lt;ref bean="jaxrsService"/&gt;
       &lt;ref bean="authorizationService"/&gt;
-  &lt;/jaxrs:serviceBeans&gt;
+      &lt;ref bean="implicitService"/&gt;
+   &lt;/jaxrs:serviceBeans&gt;
+&lt;/jaxrs:server&gt;
+</pre>
+</div></div><p>AuthorizationCodeGrantService listens on a relative "/authorize" path so in this case its absolute address will be something like "http://localhost:8080/services/myapp/authorize". This address and that of AccessTokenService will be used by third-party clients.</p><p>ImplictGrantService listens on a relative "/authorize-implicit" path</p><h3 id="JAX-RSOAuth2-AuthorizationCodeandImplicitServicesonthesamerelativepath">AuthorizationCode and Implicit Services on the same relative path</h3><p>As has already been mentioned in the previous section,&#160; AuthorizationCodeGrantService and ImplictGrantService listen on two different relative paths: "/authorize" and "/authorize-implicit". Having both services available at different addresses may not always be preferred though. If preferred, one can use <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/A
 uthorizationService.java" rel="nofollow">AuthorizationService</a> 'container' service:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"&gt;
+  &lt;property name="dataProvider" ref="oauthProvider"/&gt;
+&lt;/bean&gt;
+
+&lt;bean id="implicitService" class="org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService"&gt;
+  &lt;property name="dataProvider" ref="oauthProvider"/&gt;
+&lt;/bean&gt;
+
+&lt;util:list id="servicesList"&gt;
+  &lt;ref bean="authorizationService"/&gt;
+  &lt;ref bean="implicitService"/&gt;
+&lt;/util:list&gt;
+
+&lt;bean id="oauth2Service" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationService"&gt;
+    &lt;property name="services" ref="servicesList"/&gt;
+&lt;/bean&gt;
+
+&lt;bean id="jaxrsService" class="org.myapp.MyService"/&gt;
+
+&lt;jaxrs:server id="appServer" address="/myapp"&gt;
+   &lt;jaxrs:serviceBeans&gt;
+      &lt;ref bean="jaxrsService"/&gt;
+      &lt;ref bean="oauth2Service"/&gt;
+   &lt;/jaxrs:serviceBeans&gt;
 &lt;/jaxrs:server&gt;
 </pre>
-</div></div><p>AuthorizationCodeGrantService listens on a relative "/authorize" path so in this case its absolute address will be something like "http://localhost:8080/services/myapp/authorize". This address and that of AccessTokenService will be used by third-party clients.</p><h1 id="JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client Authentication</h1><p>When a client requests a token from Access Token Service, it needs to get authenticated. Providing its client_id and client secret as part of Basic Authorization scheme or posting them directly as form parameters are typical options, however other authentication schemes can easily be supported if required.</p><p>For example, using client certificates or assertions like SAML2 Bearer or JWT is all acceptable - the only additional requirement in this case is that a given security filter processing a specific authentication scheme maps the client credentials to an actual client_id - CXF Access Token Service will check a 
 "client_id" property on the current message context as the last resort. Note that org.apache.cxf.rs.security.oauth2.provider.ClientIdProvider can be registered with AccessTokenService to facilitate the mapping between an authenticated client and its id expected by the data provider if the container or filter based authentication can not set a "client_id" contextual property.</p><p>If a Basic authentication scheme is used and neither the container or filter has authenticated the client AccessTokenService will request a Client from the data provider and compare the Client's secret against the password found in the Basic scheme data. org.apache.cxf.rs.security.oauth2.provider.ClientSecretVerifier is available starting from CXF 3.0.3 to support Clients saving only password hashes. Its org.apache.cxf.rs.security.oauth2.provider.ClientSecretHashVerifier (calculates a SHA-256 password hash and compares it with the Client's secret) or custom implementations can be registered with AccessToke
 nService.</p><p>If a 2-way TLS is sued to authenticate a client and Client has a Base64 encoded representations of its X509Certificates available in its "applicationCertificates" property then AccessTokenService will do the additional comparison of these certificates against the ones available in the current TLS session.</p><p>Please see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for more information on how it may work.</p><h1 id="JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</h1><p>Redirection-based Authorization Code and Implicit flows depend on end users signing in if needed during the initial redirection, challenged with the client authorization form and returning their decision. By default, CXF will enforce the user session authenticity by keeping the session state in a servlet container's HTTPSession. If the alternative storage is preferred then you can register a new <a shape="rect" class="external-link" href="htt
 ps://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java" rel="nofollow">SessionAuthenticityTokenProvider</a> with either AuthorizationCodeGrantService or ImplicitGrantService beans.</p><p>CXF ships <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java" rel="nofollow">JoseSessionTokenProvider </a>which uses <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> to create a compact JWS and/or JWE sequence capturing all the data which need to be available when the user returns an authorization form decision and this secure sequence becomes a session token.</p><h3 id="JAX-RSOAuth2-Keepingthestateinthesession">Keeping the state in the session</h3><p>Note that&#160;<a shape="rect" class="external-link"
  href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java" rel="nofollow">SessionAuthenticityTokenProvider</a> has been further updated in CXF 3.1.0 to support signing and/or encrypting some of the redirection properties that would otherwise have to be kept as HTML form hidden fields (see "Authorization Service" section).</p><p>CXF&#160; ships&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java" rel="nofollow">JoseSessionTokenProvider </a>which uses <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> that can be used as a SessionAuthenticityTokenProvider which JWS-signs and/or JWE-encrypts the properties and saves the result in the session. The HTML authorization forms will only
  have to have an "authenticityToken" property which the provider will use to match the session signed/encryped data and decrypt and/or validate the session data.</p><h3 id="JAX-RSOAuth2-MultipleFactorVerification">Multiple Factor Verification</h3><p>Note that&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java" rel="nofollow">SessionAuthenticityTokenProvider</a> has been updated in CXF 3.0.2 to accept request parameters and a reference to the authenticated user. This allows for introducing a multiple factor session verification: when the provider created a session property it can for example sent a message to a user's mobile phone expect the authorization consent form return the sent value.</p><p>The other minor enhancement is that RedirectionBasedGrantService will check the authorization content form for the name of
  the form property that contains a session authentication property, using a "session_authenticity_token_param_name" property name. This allows for the 'rotation' of hidden form properties containing the actual session authenticity values.</p><h1 id="JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End User Subject initialization</h1><p>By default, redirection based authorization services will the the current CXF SecurityContext to initialize a subject representing the authenticated resource owner/end user. If the customization if needed: custom CXF filter can be used to create UserSubject and set it on the message or org.apache.cxf.rs.security.oauth2.provider.SubjectCreator interface implementation can be registered with either AuthorizationCodeGrantService or ImplicitGrantService.</p><h1 id="JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</h1><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/
 master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java" rel="nofollow">OAuthRequestFilter</a> request handler can be used to protect the resource server when processing the requests from the third-party clients. Add it as a jaxrs:provider to the endpoint which deals with the clients requesting the resources.</p><p>When checking a request like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>See this <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml" rel="nofollow">application context</a> for another example.</p><h1 id="JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client Authentication</h1><p>When a client requests a token from Access Token Service, it needs to get authenticated. Providing its client_id and client secret as part of Basic Authorization scheme or posting them directly as form parameters are typical options, however other authentication schemes can easily be supported if required.</p><p>For example, using client certificates or assertions like SAML2 Bearer or JWT is all acceptable - the only additional requirement in this case is that a given security filter processing a specific authentication scheme maps the client credentials to an actual client_id - CXF Access Token Service will check a "client_id" property on the current me
 ssage context as the last resort. Note that org.apache.cxf.rs.security.oauth2.provider.ClientIdProvider can be registered with AccessTokenService to facilitate the mapping between an authenticated client and its id expected by the data provider if the container or filter based authentication can not set a "client_id" contextual property.</p><p>If a Basic authentication scheme is used and neither the container or filter has authenticated the client AccessTokenService will request a Client from the data provider and compare the Client's secret against the password found in the Basic scheme data. org.apache.cxf.rs.security.oauth2.provider.ClientSecretVerifier is available starting from CXF 3.0.3 to support Clients saving only password hashes. Its org.apache.cxf.rs.security.oauth2.provider.ClientSecretHashVerifier (calculates a SHA-256 password hash and compares it with the Client's secret) or custom implementations can be registered with AccessTokenService.</p><p>If a 2-way TLS is sued
  to authenticate a client and Client has a Base64 encoded representations of its X509Certificates available in its "applicationCertificates" property then AccessTokenService will do the additional comparison of these certificates against the ones available in the current TLS session.</p><p>Please see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for more information on how it may work.</p><h1 id="JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</h1><p>Redirection-based Authorization Code and Implicit flows depend on end users signing in if needed during the initial redirection, challenged with the client authorization form and returning their decision. By default, CXF will enforce the user session authenticity by keeping the session state in a servlet container's HTTPSession. If the alternative storage is preferred then you can register a new <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master
 /rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java" rel="nofollow">SessionAuthenticityTokenProvider</a> with either AuthorizationCodeGrantService or ImplicitGrantService beans.</p><p>CXF ships <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java" rel="nofollow">JoseSessionTokenProvider </a>which uses <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> to create a compact JWS and/or JWE sequence capturing all the data which need to be available when the user returns an authorization form decision and this secure sequence becomes a session token.</p><h3 id="JAX-RSOAuth2-Keepingthestateinthesession">Keeping the state in the session</h3><p>Note that&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/b
 lob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java" rel="nofollow">SessionAuthenticityTokenProvider</a> has been further updated in CXF 3.1.0 to support signing and/or encrypting some of the redirection properties that would otherwise have to be kept as HTML form hidden fields (see "Authorization Service" section).</p><p>CXF&#160; ships&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java" rel="nofollow">JoseSessionTokenProvider </a>which uses <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> that can be used as a SessionAuthenticityTokenProvider which JWS-signs and/or JWE-encrypts the properties and saves the result in the session. The HTML authorization forms will only have to have an "authenticityToken" p
 roperty which the provider will use to match the session signed/encryped data and decrypt and/or validate the session data.</p><h3 id="JAX-RSOAuth2-MultipleFactorVerification">Multiple Factor Verification</h3><p>Note that&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java" rel="nofollow">SessionAuthenticityTokenProvider</a> has been updated in CXF 3.0.2 to accept request parameters and a reference to the authenticated user. This allows for introducing a multiple factor session verification: when the provider created a session property it can for example sent a message to a user's mobile phone expect the authorization consent form return the sent value.</p><p>The other minor enhancement is that RedirectionBasedGrantService will check the authorization content form for the name of the form property that contains a ses
 sion authentication property, using a "session_authenticity_token_param_name" property name. This allows for the 'rotation' of hidden form properties containing the actual session authenticity values.</p><h1 id="JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End User Subject initialization</h1><p>By default, redirection based authorization services will the the current CXF SecurityContext to initialize a subject representing the authenticated resource owner/end user. If the customization if needed: custom CXF filter can be used to create UserSubject and set it on the message or org.apache.cxf.rs.security.oauth2.provider.SubjectCreator interface implementation can be registered with either AuthorizationCodeGrantService or ImplicitGrantService.</p><h1 id="JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</h1><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oau
 th2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java" rel="nofollow">OAuthRequestFilter</a> request handler can be used to protect the resource server when processing the requests from the third-party clients. Add it as a jaxrs:provider to the endpoint which deals with the clients requesting the resources.</p><p>When checking a request like this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">Address: http://localhost:8080/services/thirdPartyAccess/calendar
 Http-Method: GET
 Headers: 

Modified: websites/production/cxf/content/docs/jax-rs-oidc.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oidc.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oidc.html Thu Jun 23 11:47:35 2016
@@ -117,11 +117,11 @@ Apache CXF -- JAX-RS OIDC
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1466678819847 {padding: 0px;}
-div.rbtoc1466678819847 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1466678819847 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1466682419862 {padding: 0px;}
+div.rbtoc1466682419862 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1466682419862 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1466678819847">
+/*]]>*/</style></p><div class="toc-macro rbtoc1466682419862">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOIDC-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</a></li><li><a shape="rect" href="#JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</a></li><li><a shape="rect" href="#JAX-RSOIDC-ImplicitFlow">Implicit Flow</a></li><li><a shape="rect" href="#JAX-RSOIDC-HybridFlow">Hybrid Flow</a></li></ul>
@@ -135,7 +135,7 @@ div.rbtoc1466678819847 li {margin-left:
     &lt;artifactId&gt;cxf-rt-rs-security-sso-oidc&lt;/artifactId&gt;
     &lt;version&gt;3.1.7&lt;/version&gt;
 &lt;/dependency&gt;</pre>
-</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a> which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a> and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a> by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
 <p>One way to populate it is to register a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java" rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService. For example, <a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared by Fediz Authenticators and creates IdToken by converting an already available SAML token to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSub
 ject.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal may already have a prepared IdToken.&#160;</p><p>The other approach is to create IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this case IdToken will need to be populated first and then converted to either JWS or JWE sequence and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant property at the moment the grant is persisted, if it is the implicit flow - set it as a token property at the moment the token is persisted. This approach is a bit more involved but creating a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way IdToken is created is container/implementation specific. Creati
 ng IdToken is the main requirement for integrating CXF OIDC code with the 3rd party container.</p><p>Finally, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140" rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> to create IdToken at the m
 oment it needs to be returned to the client application.&#160;</p><p>IdToken can provide enough information for the client application to work with the current user. However, the client can get more information about the user from OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides&#160;<span class="pl-smi">&#160;</span><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a> One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or
  let CXF OIDCUserInfo service create it as described below.</p><h1 id="JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC IDP code provides JAX-RS services for supporting OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth" rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all OIDC response types</a>.</p><p>Services for supporting <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo requests</a> and r
 eturning IdToken <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Signing" rel="nofollow">signature verification keys</a> are also shipped.&#160;</p><h2 id="JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</h2><h3 id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a> extension which enforces OIDC specific constraints. It can be registered <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L44" rel="nofollow">like this</a>.</p><p>This ser
 vice issues a code grant, while&#160;<a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> returns Access and Id tokens.&#160;</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>) is where IdToken is actually added to the client response. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L181" rel="nofollow">this line</a>.</p><h3 id="JAX-RSOIDC-ImplicitFlow">Implicit Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc
 /src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService extension which enforces OIDC specific constraints and adds IdToken to the client response. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L54" rel="nofollow">this line</a> (Note in this case Implicit Flow is supported due to OidcHybridService extending OidcImplicitService but OidcImplicitService can be registered directly).</p><h3 id="JAX-RSOIDC-HybridFlow">Hybrid Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java" rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/ma
 ster/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a>. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L54" rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/r
 s/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> is accessed by a client which uses the access token issued to it during the user authentication process. Therefore <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java#L48" rel="nofollow">this line</a> enforce
 s it - it will fail if the access token has not been successfully <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">validated</a>. For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L112" rel="nofollow">this line</a>.</p><h2 id="JAX-RSOIDC-JWKKeysService">JWK Keys Service</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java" rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public verification JWK key. By default only a public key is returned but the service can also be configured for JWK key to include the corresponding&#160; X509 certificate chain too.&#160; Use this service if IdToken is signed by a private RSA or EC key for the client be able 
 to fetch the verification keys without having to import them into local key stores.</p><p>For example, see <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L89" rel="nofollow">this line</a>.</p><h1 id="JAX-RSOIDC-FedizOIDCIDP">Fediz OIDC IDP</h1><p><a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> project provides a reference integration between CXF OIDC IDP code and Fediz Authentication System. It has <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html" rel="nofollow">OIDC Core</a> supported with a minimum amount of code and configuration.</p><p>It creates IdToken in a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">SubjectCreator</a> as described above. Cur
 rently it depends on CXF Ehcache <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47" rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is needed. Besides that it provides a support for managing the client registrations. It registers OIDC services as JAX-RS endpoints.</p><p>While some implementation details may change going forward (example, the alternative data provider may get introduced, etc), for the most part it shows that creating IdToken is what is really needed to get the container integrated with the CXF OIDC code.</p><h1 id="JAX-RSOIDC-OIDCRPsupport">OIDC RP support</h1><p>OIDC RP client support is needed for the client application to redirect a user to OIDC IDP, get and validate IdToken, optionally get UserInfo, and make both IdToken and UserInfo easily accessible to the client application code.</p><h2 id="JAX-RSOIDC-Demos">Demos</h2><p><a shape="rect" c
 lass="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query" rel="nofollow">BigQuery</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java" rel="nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code to support interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.</p><p>For example, the context is <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQuerySer
 vice.java#L51" rel="nofollow">injected</a> and used to get <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68" rel="nofollow">the access token</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75" rel="nofollow">the user info</a>. See <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70" rel="nofollow">the context</a> with the comments on how to configure RP filters.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc" rel="nofollow">BasicOidc</a> <a shape="
 rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java" rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS server. This server works with an HTTP Browser client which uses Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in its code</p><p>&#160;</p><p>&#160;</p></div>
+</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken" rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a> which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a> and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a> by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
 <p>One way to populate it is to register a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java" rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService. For example, <a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared by Fediz Authenticators and creates IdToken by converting an already available SAML token to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSub
 ject.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal may already have a prepared IdToken.&#160;</p><p>The other approach is to create IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this case IdToken will need to be populated first and then converted to either JWS or JWE sequence and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant property at the moment the grant is persisted, if it is the implicit flow - set it as a token property at the moment the token is persisted. This approach is a bit more involved but creating a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way IdToken is created is container/implementation specific. Creati
 ng IdToken is the main requirement for integrating CXF OIDC code with the 3rd party container.</p><p>Finally, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140" rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">IdTokenProvider</a> to create IdToken at the m
 oment it needs to be returned to the client application.&#160;</p><p>IdToken can provide enough information for the client application to work with the current user. However, the client can get more information about the user from OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo endpoint</a>.</p><p>CXF provides&#160;<span class="pl-smi">&#160;</span><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java" rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a> One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or
  let CXF OIDCUserInfo service create it as described below.</p><h1 id="JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</h1><p>Currently CXF OIDC IDP code provides JAX-RS services for supporting OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth" rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth" rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth" rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all OIDC response types</a>.</p><p>Services for supporting <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo requests</a> and r
 eturning IdToken <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Signing" rel="nofollow">signature verification keys</a> are also shipped.&#160;</p><h2 id="JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</h2><h3 id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization Code Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a> extension which enforces OIDC specific constraints.&#160;</p><p>This service issues a code grant, while&#160;<a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a> returns Access and Id tokens.&#160;</p><p>
 <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>) is where IdToken is actually added to the client response.</p><h3 id="JAX-RSOIDC-ImplicitFlow">Implicit Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService extension which enforces OIDC specific constraints and adds IdToken to the client response.&#160;</p><h3 id="JAX-RSOIDC-HybridFlow">Hybrid Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc
 /src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java" rel="nofollow">OidcHybridService</a> supports Hybrid Flow by delegating to both <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java" rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java" rel="nofollow">OidcAuthorizationCodeService</a>.&#160;</p><h2 id="JAX-RSOIDC-UserInfoEndpoint">UserInfo Endpoint</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect" class="external-link" href="https://g
 ithub.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java" rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java" rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java" rel="nofollow">UserInfoService</a> is accessed by a client which uses the access token issued to it during the user authentication process.</p><h2 id="JAX-RSOIDC-JWKKeysService">JWK Keys Service</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apach
 e/cxf/rs/security/oidc/idp/OidcKeysService.java" rel="nofollow">OidcKeysService</a> returns a JWK key set containing a public verification JWK key. By default only a public key is returned but the service can also be configured for JWK key to include the corresponding&#160; X509 certificate chain too.&#160; Use this service if IdToken is signed by a private RSA or EC key for the client be able to fetch the verification keys without having to import them into local key stores.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L89" rel="nofollow"><br clear="none"></a></p><h1 id="JAX-RSOIDC-FedizOIDCIDP">Fediz OIDC IDP</h1><p><a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a> project provides a reference integration between CXF OIDC IDP code and Fediz Authentication System. It has <a shape="rect" class="external-link" href="http://openid.net/specs/openi
 d-connect-core-1_0.html" rel="nofollow">OIDC Core</a> supported with a minimum amount of code and configuration.</p><p>It creates IdToken in a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java" rel="nofollow">SubjectCreator</a> as described above. Currently it depends on CXF Ehcache <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47" rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is needed. Besides that it provides a support for managing the client registrations. <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml" rel="nofollow">It registers</a> OIDC services as JAX-RS endpoints.</p><p>While some implementation details may chan
 ge going forward (example, the alternative data provider may get introduced, etc), for the most part it shows that creating IdToken is what is really needed to get the container integrated with the CXF OIDC code.</p><h1 id="JAX-RSOIDC-OIDCRPsupport">OIDC RP support</h1><p>OIDC RP client support is needed for the client application to redirect a user to OIDC IDP, get and validate IdToken, optionally get UserInfo, and make both IdToken and UserInfo easily accessible to the client application code.</p><h2 id="JAX-RSOIDC-Demos">Demos</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query" rel="nofollow">BigQuery</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java" rel="nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code to supp
 ort interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.</p><p>For example, the context is <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L51" rel="nofollow">injected</a> and used to get <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68" rel="nofollow">the access token</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_quer
 y/src/main/java/demo/jaxrs/server/BigQueryService.java#L75" rel="nofollow">the user info</a>. See <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70" rel="nofollow">the context</a> with the comments on how to configure RP filters.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc" rel="nofollow">BasicOidc</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java" rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS server. This server works with an HTTP Browser client which uses Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This brows
 er client interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in its code</p><p>&#160;</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message