cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf-fediz git commit: Adding few comments to Fediz OIDC contexts
Date Thu, 23 Jun 2016 11:59:19 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master a5d0d5069 -> 7b6d0babb


Adding few comments to Fediz OIDC contexts


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/7b6d0bab
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/7b6d0bab
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/7b6d0bab

Branch: refs/heads/master
Commit: 7b6d0babb0760d139fecf734e9c5d50bf015d466
Parents: a5d0d50
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Jun 23 12:59:02 2016 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Jun 23 12:59:02 2016 +0100

----------------------------------------------------------------------
 .../main/webapp/WEB-INF/applicationContext.xml  | 25 ++++++++++-------
 .../src/main/webapp/WEB-INF/data-manager.xml    | 28 +++++++++++++++++---
 2 files changed, 40 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7b6d0bab/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
index ba27220..675822c 100644
--- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
@@ -40,7 +40,7 @@
 		
     <import resource="data-manager.xml" />
     
-    <!-- Supports OIDC code flow -->
+    <!-- Supports OIDC Authorization Code flow -->
     <bean id="oidcAuthorizationService" class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService">
          <property name="dataProvider" ref="oauthProvider"/>
          <property name="subjectCreator" ref="subjectCreator"/>
@@ -50,7 +50,7 @@
          -->
          <property name="canSupportPublicClients" value="true"/>
     </bean>
-    <!-- Supports OIDC implicit and hybrid flows -->
+    <!-- Supports OIDC Implicit and Hybrid flows -->
     <bean id="oidcHybridService" class="org.apache.cxf.rs.security.oidc.idp.OidcHybridService">
          <property name="dataProvider" ref="oauthProvider"/>
          <property name="subjectCreator" ref="subjectCreator"/>
@@ -64,10 +64,13 @@
         <ref bean="oidcHybridService"/>
     </util:list>
     
+    <!-- Service which makes Code, Implicit and Hybrid flow available 
+         at the same relative "/authorize" address -->
     <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationService">
          <property name="services" ref="oidcServices"/>
     </bean>
     
+    <!-- Service supporting all OIDC Core flows -->
     <jaxrs:server address="/idp">
         <jaxrs:serviceBeans>
            <ref bean="authorizationService"/>
@@ -83,7 +86,7 @@
     </jaxrs:server>
     
     <!-- 
-         Disable it if the client secret is used or if 
+         Public JWK Key Service: Disable it if the client secret is used or if 
          pre-installing public OIDC keys to clients is preferred
     --> 
     <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
@@ -104,7 +107,9 @@
     <bean id="oauth2TokenValidationFilter" class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
          <property name="dataProvider" ref="oauthProvider"/>
          <property name="audienceIsEndpointAddress" value="false"/>
-     </bean>
+    </bean>
+     
+    <!-- User Info Service --> 
     <bean id="userInfoService" class="org.apache.cxf.rs.security.oidc.idp.UserInfoService">
         <property name="oauthDataProvider" ref="oauthProvider"/>
         <property name="jwsRequired" value="false"/>
@@ -121,7 +126,7 @@
     
     <bean id="keyPasswordProvider" class="org.apache.cxf.fediz.service.oidc.PrivateKeyPasswordProviderImpl"/>
     
-    
+    <!-- Client Registration Service -->
     <bean id="clientRegService" init-method="init" 
        class="org.apache.cxf.fediz.service.oidc.clients.ClientRegistrationService">
        <property name="dataProvider" ref="oauthProvider"/>
@@ -136,12 +141,11 @@
           </map>
        </property>
     </bean>
+    
+    <!-- Console linking to the client registration service -->
     <bean id="consoleService" class="org.apache.cxf.fediz.service.oidc.console.UserConsoleService">
         <property name="clientRegService" ref="clientRegService"/>
     </bean>
-    
-    
-    
     <jaxrs:server address="/console">
         <jaxrs:serviceBeans>
             <ref bean="consoleService"/>
@@ -166,9 +170,9 @@
               <entry key="org.apache.cxf.fediz.service.oidc.clients.InvalidRegistration"
value="/WEB-INF/views/invalidRegistration.jsp"/>
             </map>
        </property>
-       
     </bean>
     
+    <!-- AccessTokenService response filter which adds IdTokens to client responses -->
     <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter">
       <!--
         <property name="signWithClientSecret" value="true"/>
@@ -177,13 +181,14 @@
     <bean id="refreshTokenHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler">
         <property name="dataProvider" ref="oauthProvider"/>
     </bean>
-    
+    <!-- Access Token service -->
     <bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
         <property name="dataProvider" ref="oauthProvider"/>
         <property name="responseFilter" ref="idTokenFilter"/>
         <property name="grantHandler" ref="refreshTokenHandler"/>
         <property name="canSupportPublicClients" value="true"/>
     </bean>
+    <!-- Access Token Introspection service -->
     <bean id="accessTokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService">
         <property name="dataProvider" ref="oauthProvider"/>
         <property name="blockUnauthorizedRequests" value="false"/> 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/7b6d0bab/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
index 9f663e1..6422263 100644
--- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
@@ -29,13 +29,24 @@
     
     <bean id="applicationContextProvider" class="org.apache.cxf.fediz.service.oidc.handler.hrd.ApplicationContextProvider"/>
 
+    <!-- List of accepted scopes -->
     <util:map id="supportedScopes">
         <entry key="openid" value="Access the authentication claims" />
         <entry key="refreshToken" value="Refresh access tokens" />
     </util:map>
+    
+    <!-- 
+        List of required scopes that must be available in request URIs when
+        client redirects users to OIDC
+    -->
     <util:list id="coreScopes">
         <value>openid</value>
     </util:list>
+    
+    <!-- 
+        Typically the scopes authorized by the user will be reported back to the client,
+        reporting an approved refreshToken scope is currently disabled  
+    -->
     <util:list id="invisibleToClientScopes">
         <value>refreshToken</value>
     </util:list>
@@ -47,18 +58,29 @@
     <bean id="oauthProvider" 
           class="org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider"
           init-method="init" destroy-method="close">
+        <!-- List of accepted scopes -->  
         <property name="supportedScopes" ref="supportedScopes"/>
+        <!-- List of required scopes -->
         <property name="requiredScopes" ref="coreScopes"/>
+        <!-- 
+             List of scopes that the consent/authorization form should make 
+             selected by default. For example, asking a user to do an extra click
+             to approve an "oidc" scope is a redundant operation because this scope
+             is required anyway.
+        -->
         <property name="defaultScopes" ref="coreScopes"/>
+        
         <property name="invisibleToClientScopes" ref="invisibleToClientScopes"/>
         <!--
-        <property name="supportPreauthorizedTokens" value="true"/>
+        <property name="accessTokenLifetime" value="3600"/>
         -->
         <!--
-        <property name="accessTokenLifetime" value="3600"/>
+        <property name="supportPreauthorizedTokens" value="true"/>
         -->
+        
     </bean>
-    
+
+    <!-- Custom SubjectCreator where IdToken is created -->    
     <bean id="subjectCreator" class="org.apache.cxf.fediz.service.oidc.FedizSubjectCreator">
         <property name="idTokenIssuer" value="accounts.fediz.com"/>
     </bean>


Mime
View raw message