cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r995960 [1/2] - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html docs/jax-rs-oidc.html
Date Fri, 26 Aug 2016 12:47:41 GMT
Author: buildbot
Date: Fri Aug 26 12:47:41 2016
New Revision: 995960

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html
    websites/production/cxf/content/docs/jax-rs-oidc.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Fri Aug 26 12:47:41 2016
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1470660420927 {padding: 0px;}
-div.rbtoc1470660420927 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1470660420927 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1472215618386 {padding: 0px;}
+div.rbtoc1472215618386 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1472215618386 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1470660420927">
+/*]]>*/</style></p><div class="toc-macro rbtoc1472215618386">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization View</a></li><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
@@ -134,7 +134,7 @@ div.rbtoc1470660420927 li {margin-left:
 </li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">Access Token Validation Service</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidatorService">AccessTokenValidatorService</a></li><li><a shape="rect" href="#JAX-RSOAuth2-TokenIntrospectionService">TokenIntrospectionService</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a>
+</li><li><a shape="rect" href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DynamicRegistrationService">DynamicRegistrationService</a></li><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationMetadataService">AuthorizationMetadataService</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SAMLandJWTAssertions">SAML and JWT Assertions</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse Filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</a></li><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-DefaultProviders">Default Providers</a></li></ul>
@@ -152,7 +152,7 @@ div.rbtoc1470660420927 li {margin-left:
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul>
 </li></ul>
-</div><h1 id="JAX-RSOAuth2-Introduction">Introduction</h1><p>New:</p><ul style="list-style-type: square;"><li>OAuth2 module now depends on CXF cxf-rt-rs-security-jose module with the utility code in place to support a number of OAuth2 features depending on JOSE <br clear="none"><br clear="none"></li></ul><p>CXF provides the implementation of <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc6749" rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect" href="jax-rs-oauth.html">JAX-RS OAuth</a> page for information about OAuth 1.0.</p><p>Authorization Code, Implicit, Client Credentials, Resource Owner Password Credentials, Refresh Token, SAML2 Assertions and JWT assertion grants are currently supported.</p><p>Custom grant handlers can be registered.</p><p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping end users (resource owners) authorize third-party providers to access their resources.</p><p>The OAuth2 flow which is clos
 ely related to the original OAuth 1.0 3-leg flow is called Authorization Code and involves 3 parties: the end user, the third party service (client) and the resource server which is protected by OAuth2 filters. Typically a client offers a service feature that an end user requests and which requires the former to access one or more protected resources on behalf of this user which are located at the resource server. For example, the client may need to access the end user's photos in order to print them and post to the user or read and possibly update a user's calendar in order to make a booking.</p><p>In order to make it happen, the third-party service application/client needs to register itself with the OAuth2 server. This happens out-of-band and after the registration the client gets back a client key and secret pair. Typically the client is expected to provide the name and description of the application, the application logo URI, one or more redirect URIs, and other information tha
 t may help the OAuth2 authorization server to identify this client to the end user at the authorization time.</p><p>From then on, the authorization code flow works like this:<br clear="none"> 1. End User requests the third-party service using a browser.</p><p>2. The client redirects the end user to OAuth2 Authorization Service, adding its client id, the state, redirect URI and the optional scope to the target URI. The state parameter represents the current end user's request, redirect URI - where the authorization code is expected to be returned to, and the scope is the list of opaque permissions that the client needs in order to access the protected resources.</p><p>3. Authorization Service will retrieve the information about the client using its client id, build an HTML form and return it to the end user. The form will ask the user if a given third-party application can be allowed to access some resources on behalf of this user.</p><p>4. If the user approves it then Authorization 
 Service will generate an authorization code and redirect the user back to the redirect uri provided by the client, also adding a state parameter to the redirect URI.</p><p>5. The client requests an access token from OAuth2 Access Token Service by providing an authorization code grant.</p><p>6. After getting an access token token, the service finally proceeds with accessing the current user's resources and completes the user's request.</p><p>As you can see the flow can be complex yet it is very effective. A number of issues may need to be taken care along the way such as managing expired tokens, making sure that the OAuth2 security layer is functioning properly and is not interfering with the end user itself trying to access its own resources, etc.</p><p>Please check the <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc6749" rel="nofollow">specification</a> as well as other resources available on the WEB for more information you may need to know about OAuth2
 .</p><p>CXF JAX-RS gives the best effort to making this process as simple as possible and requiring only a minimum effort on behalf of OAuth2 server developers. It also offers the utility code for greatly simplifying the way the third-party application can interact with the OAuth2 service endpoints.</p><h1 id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h1 id="JAX-RSOAuth2-Introduction">Introduction</h1><p>New:</p><ul style="list-style-type: square;"><li>Ehcache and JCache OAuthDataProviders can represent access tokens in JWT <br clear="none"><br clear="none"></li></ul><p>CXF provides the implementation of <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc6749" rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect" href="jax-rs-oauth.html">JAX-RS OAuth</a> page for information about OAuth 1.0.</p><p>Authorization Code, Implicit, Client Credentials, Resource Owner Password Credentials, Refresh Token, SAML2 Assertions and JWT assertion grants are currently supported.</p><p>Custom grant handlers can be registered.</p><p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping end users (resource owners) authorize third-party providers to access their resources.</p><p>The OAuth2 flow which is closely related to the original OAuth 1.0 3-leg flow is called Authorization Code a
 nd involves 3 parties: the end user, the third party service (client) and the resource server which is protected by OAuth2 filters. Typically a client offers a service feature that an end user requests and which requires the former to access one or more protected resources on behalf of this user which are located at the resource server. For example, the client may need to access the end user's photos in order to print them and post to the user or read and possibly update a user's calendar in order to make a booking.</p><p>In order to make it happen, the third-party service application/client needs to register itself with the OAuth2 server. This happens out-of-band and after the registration the client gets back a client key and secret pair. Typically the client is expected to provide the name and description of the application, the application logo URI, one or more redirect URIs, and other information that may help the OAuth2 authorization server to identify this client to the end u
 ser at the authorization time.</p><p>From then on, the authorization code flow works like this:<br clear="none"> 1. End User requests the third-party service using a browser.</p><p>2. The client redirects the end user to OAuth2 Authorization Service, adding its client id, the state, redirect URI and the optional scope to the target URI. The state parameter represents the current end user's request, redirect URI - where the authorization code is expected to be returned to, and the scope is the list of opaque permissions that the client needs in order to access the protected resources.</p><p>3. Authorization Service will retrieve the information about the client using its client id, build an HTML form and return it to the end user. The form will ask the user if a given third-party application can be allowed to access some resources on behalf of this user.</p><p>4. If the user approves it then Authorization Service will generate an authorization code and redirect the user back to the r
 edirect uri provided by the client, also adding a state parameter to the redirect URI.</p><p>5. The client requests an access token from OAuth2 Access Token Service by providing an authorization code grant.</p><p>6. After getting an access token token, the service finally proceeds with accessing the current user's resources and completes the user's request.</p><p>As you can see the flow can be complex yet it is very effective. A number of issues may need to be taken care along the way such as managing expired tokens, making sure that the OAuth2 security layer is functioning properly and is not interfering with the end user itself trying to access its own resources, etc.</p><p>Please check the <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc6749" rel="nofollow">specification</a> as well as other resources available on the WEB for more information you may need to know about OAuth2.</p><p>CXF JAX-RS gives the best effort to making this process as simple as po
 ssible and requiring only a minimum effort on behalf of OAuth2 server developers. It also offers the utility code for greatly simplifying the way the third-party application can interact with the OAuth2 service endpoints.</p><h1 id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;dependency&gt;
   &lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
   &lt;artifactId&gt;cxf-rt-rs-security-oauth2&lt;/artifactId&gt;
@@ -348,7 +348,7 @@ Authorization: MAC id="5b5c8e677413277c4
                    mac="W7bdMZbv9UWOTadASIQHagZyirA="
                    ts="12345678" 
 </pre>
-</div></div><p>where 'ts' attribute is used to pass a timestamp value.</p><h4 id="JAX-RSOAuth2-EncryptedTokens">Encrypted Tokens</h4><p>Typically, the tokens are persisted in the storage. The alternative approach is to completely encrypt the token state and return the encrypted representation back to a client: the processing time to do with the encryption and decryption might increase but the server wins on avoiding the DB / storage lookups.&#160;&#160; &#160;</p><p>CXF 3.0.0-milestone2 introduces the utility support for encrypting the state of BearerAccessToken and RefreshToken.</p><p>The tokens can be encrypted and decrypted with symmetric (secret) keys or certificates (public and private keys) and the combination of certificates and secret keys.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java" rel="nofollow">ModelE
 ncryptionSupport</a> can be used to encrypt the tokens using the custom serialization format.</p><p>Note that ServerAuthorizationGrant and Client can also be encrypted.</p><p>&#160;</p><p>The simplest strategy is to encrypt and decrypt the tokens with the symmetric/secret keys. Every new token can be encrypted with a unique secret key or all of them can be encrypted with a single secret key. The utilities provide few methods for creating secret keys with the default and advanced properties, in addition there are many examples around on how to create the keys with the specific properties.</p><p>For example, see org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider and&#160;org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider which are shipped starting from CXF 3.0.2.</p><p>Here is a typical code demonstrating how the encryption/decryption works:</p><p>&#160;</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeCo
 ntent panelContent pdl">
+</div></div><p>where 'ts' attribute is used to pass a timestamp value.</p><h4 id="JAX-RSOAuth2-EncryptedTokens">Encrypted Tokens</h4><p><strong>Note</strong>: consider using <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE Encryption</a> with JWT access tokens (see next section).</p><p>Typically, the tokens are persisted in the storage. The alternative approach is to completely encrypt the token state and return the encrypted representation back to a client: the processing time to do with the encryption and decryption might increase but the server wins on avoiding the DB / storage lookups.&#160;&#160; &#160;</p><p>CXF 3.0.0-milestone2 introduces the utility support for encrypting the state of BearerAccessToken and RefreshToken.</p><p>The tokens can be encrypted and decrypted with symmetric (secret) keys or certificates (public and private keys) and the combination of certificates and secret keys.</p><p><a shape="rect" class="external-li
 nk" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java" rel="nofollow">ModelEncryptionSupport</a> can be used to encrypt the tokens using the custom serialization format.</p><p>Note that ServerAuthorizationGrant and Client can also be encrypted.</p><p>&#160;</p><p>The simplest strategy is to encrypt and decrypt the tokens with the symmetric/secret keys. Every new token can be encrypted with a unique secret key or all of them can be encrypted with a single secret key. The utilities provide few methods for creating secret keys with the default and advanced properties, in addition there are many examples around on how to create the keys with the specific properties.</p><p>For example, see org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider and&#160;org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider which are ship
 ped starting from CXF 3.0.2.</p><p>Here is a typical code demonstrating how the encryption/decryption works:</p><p>&#160;</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">SecretKey key = CryptoUtils.getSecretKey();
 
 // create a new token, encrypt its state and return
@@ -364,7 +364,45 @@ return token;
 // decrypt a token given a token key
 
 ModelEncryptionSupport.decryptAccessToken(this, encryptedToken, key);</pre>
-</div></div><pre>&#160;</pre><h4 id="JAX-RSOAuth2-JWTTokens">JWT Tokens</h4><p>JWT Token can be JWE-encrypted and the encrypted string passed to ServerAccessToken as access token id parameter.</p><p>See <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">JAX-RS JOSE</a> wiki page for more information on how to sign and encrypt JSON Web Tokens.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java" rel="nofollow">JwtAccessTokenUtils </a>provides utility method for encrypting and decrypting an access token represented as JWT.</p><p>Note more support for JWT access tokens is on the way.</p><h4 id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.co
 mmon.ServerAccessToken.</p><h4 id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00" rel="nofollow">audience</a> parameter is supported during the client token requests.</p><h3 id="JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</h3><p>org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider is a JAX-RS MessageBodyWriter which supports returning ClientAccessToken and OAuthError representations to the client in a JSON format required by OAuth2 spec. It is also a JAX-RS MessageBodyReader that is used by client OAuthClientUtils (see below) to read the responses from AccessTokenService.</p><p>Register it as a provider with a JAXRS AccessTokenService endpoint.</p><p>Alternatively, if you prefer, a custom MessageBodyWriter implementation can be registered instead.</p><h2 id="JAX-RSOAuth2-AccessTokenValidationService">Access Token
  Validation Service</h2><h3 id="JAX-RSOAuth2-AccessTokenValidatorService">AccessTokenValidatorService</h3><p>The <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java" rel="nofollow">AccessTokenValidatorService</a> is a CXF specific OAuth2 service for accepting the remote access token validation requests. OAuthRequestFilter needs to be injected with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java" rel="nofollow">AccessTokenValidatorClient</a> which will ask AccessTokenValidatorService to return the information relevant to the current access token, before setting up a security context.</p><h3 id="JAX-RSOAuth2-TokenIntrospectionService">TokenIntrospectionService</h3><p>The
  <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java" rel="nofollow">TokenIntrospectionService</a> is a standard OAuth2 service for accepting the remote access token introspection requests. See <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7662" rel="nofollow">RFC 7662</a>. OAuthRequestFilter needs to be injected with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java" rel="nofollow">AccessTokenIntrospectionClient.</a></p><h2 id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cx
 f/rs/security/oauth2/services/TokenRevocationService.java" rel="nofollow">TokenRevocationService</a> is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh tokens they own themselves, please see <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09" rel="nofollow">OAuth2 Token Revocation Draft</a> for more information.</p><p>TokenRevocationService and AccessTokenService share the same code which enforces that the clients have been correctly authenticated.</p><p>Note, OAuthDataProvider implementations processing a revocation request should simply ignore the invalid tokens as recommended by the specification which will let TokenRevocationService return HTTP 200 which is done to minimize a possible attack surface (specifically for bad clients not to see if their requests failed or succeeded) and throw the exceptions only if the token revocation feature is not currently supported.</p><h2 id="JAX-RSOAuth2-
 SupportedGrants">Supported Grants</h2><p>The following subsections briefly describe how the well-known grant types can be supported on the server side. Please also check the "Client Side Support" section on how to use the related <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java" rel="nofollow">AccessTokenGrant</a> implementations to request the access tokens.</p><h3 id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As described above, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java" rel="nofollow">AuthorizationCodeGrantService</a> service and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/s
 rc/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java" rel="nofollow">AuthorizationCodeDataProvider</a> data provider can support a redirection-based Authorization Code flow.</p><p>The code that the client receives in the end of the redirection process will need to be exchanged for a new access token with AccessTokenService. CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same way Authorization Code grant is except that no code is created, a token is issued immediately and returned to the client running within a web browser.</p><p><a shape="rect" class="external-link" href="https://gith
 ub.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java" rel="nofollow">ImplicitGrantService</a> service asks <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> data provider to issue a new token after a user has approved it.</p><p>Note the only difference is the use of ImplicitGrantService instead of AuthorizationCodeGrantService.</p><p>Also note that when an Implicit grant client (running within a browser) replaces the code grant for a new access token and tries to access the end user's resource, Cross Origin Resource Sharing (CORS) support will most likely need to be enabled on the end user's resource server.<br clear="none"> The simplest approach is to register a CXF <a shape="rect" href="http://cxf.apac
 he.org/docs/jax-rs-cors.html">CORS filter</a>, right before OAuth2 filter (see on it below).</p><p>Starting from CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered Client id to the browser-hosted client. This is recommended so that the client can verify that the token is meant to be delivered to this client.</p><h3 id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3><p>Register <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java" rel="nofollow">ClientCredentialsGrantHandler</a> handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGr
 ant.java" rel="nofollow">ClientCredentialsGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</h3><p>Register <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java" rel="nofollow">ResourceOwnerGrantHandler</a> handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java">ResourceOwnerGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The client can issue a refresh token grant if the current access toke
 n it owns has expired or been revoked and the refresh token was issued alongside with the access token which is now invalid and get the new, 'refreshed' access token. This can allow the client to avoid seeking a new authorization approval from the end user.</p><p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java">RefreshTokenGrantHandler</a> handler with AccessTokenService for this grant be supported. Note this grant handler is only useful for refreshing the existing access token, so one or more of the other grant handlers (Authorization Code, Implicit, etc) will also have to be registered with AccessTokenService.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security
 /oauth2/grants/owner/ResourceOwnerGrant.java" rel="nofollow">RefreshTokenGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-SAMLandJWTAssertions">SAML and JWT Assertions</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7522" rel="nofollow">SAML2 assertions</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7523" rel="nofollow">JWT assertions</a> can be used as token grants.</p><p>JWT assertion grants are supported in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt" rel="nofollow">this package</a>. <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java" rel="nofollow">JwtBearerAuthHandler</a> can be us
 ed as a generic client authentication filter (where the client authenticated with JWT token as opposed to with a username:password pair, etc).</p><p>Please also see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Assertions</a> section for more information.</p><p>&#160;</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If you need to customize the way the well-known grant requests are handled then consider extending one of the grant handlers listed in the previous sub-sections.</p><p>Alternatively create a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java" rel="nofollow">AccessTokenGrantHandler</a> and register it with AccessTokenService. Additionally, consider providing a related&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-paren
 t/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java" rel="nofollow">AccessTokenGrant</a> implementation for making it easy for the client code to request a new access token with this custom grant.</p><h2 id="JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationRequestFilter.java" rel="nofollow">AuthorizationRequestFilter</a> implementations can be registered with AuthorizationCodeGrantService or ImplicitGrantService in order to pre-process code requests. For example, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java" rel="nofollow">JwtRequestCodeFilter</a> can be used to process JWS-signed or
  JWE-encrypted code requests.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java" rel="nofollow">AuthorizationCodeResponseFilter</a> implementations can be registered with AuthorizationCodeService in order to post-process code responses.</p><h2 id="JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse Filters</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java" rel="nofollow">AccessTokenResponseFilter</a> implementations can be registered with AccessTokenService in order to post-process access token responses. For example,&#160; OIDC IdToken can be added to a response with a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/
 blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a>.</p><h2 id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</h2><p>When working with the flows which require the end users/resource owners explicitly authorizing clients (for example, as in the case of redirection-based flows), using pre-authorized access tokens is one option to minimize the need for the end-user intervention. <br clear="none"> OAuthDataProvider is always checked first if the pre-authorized access token for a given Client exists and if yes then it will be returned immediately, without starting the authorization process involving the end user (as required by some flows).</p><p>Consider providing a user interface which will let the end users/resource owners to pre-authorize specific clients early. Note, a CXF service for supporting the users pre-authorizing the clients or revoking the tokens for 
 some of the clients may be introduced in the future.</p><p>Also note that using a refresh token grant may further help with minimizing the end user involvement, in cases when the current access token has expired.</p><h2 id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can register custom scopes they will be expected to use and then avoid specifying the scopes when requesting the code grants or access tokens.<br clear="none"> Alternatively it makes it easier to support so called wild-card scopes. For example, a client pre-registers a scope "update" and actually uses an "update-7" scope: Redirection-based services and access token grants can be configured to do a partial scope match, in this case, validate that "update-7" starts from "update"</p><h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these s
 ervices rely on a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> implementation.</p><p>The main task of <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> is to persist and generate access tokens. Additionally, as noted above, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java" rel="nofollow">AuthorizationCodeDataProvider</a> needs to persist and remove the code grant registrations. The way it's done is really application-specific. Consider 
 starting with a basic memory based implementation and then move on to keeping the data in some DB.</p><p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java" rel="nofollow">OAuthPermission</a>s. AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes are used in the first place).&#160;</p><h3 id="JAX-RSOAuth2-DefaultProviders">Default Providers</h3><p>CXF 3.1.7 ships JPA2 (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java" rel="nofollow">JPAOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/
 rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java" rel="nofollow">JPACodeDataProvider</a>), Ehcache (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java" rel="nofollow">DefaultEHCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java" rel="nofollow">DefaultEHCacheCodeDataProvider</a>) and JCache (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java" rel="nofollow">JCacheOAuthDataProvider</a> and <a shape="rect" cla
 ss="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java" rel="nofollow">JCacheCodeDataProvider</a>) provider implementations which take care of all the persistence tasks: saving or removing registered clients, tokens and code grants. These providers can be easily customized.</p><p>Custom implementations can also extend&#160; <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java" rel="nofollow">AbstractOAuthDataProvider</a> or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java" rel="nofollow">AbstractCodeDataProvider</a>&#160; and only impleme
 nt their abstract persistence related methods or further customize some of their code.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS endpoints</h2><p>With CXF offering OAuth service implementations and a custom OAuthDataProvider provider in place, it is time to deploy the OAuth2 server. <br clear="none"> Most likely, you'd want to deploy AccessTokenService as an independent JAX-RS endpoint, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><pre>&#160;</pre><h4 id="JAX-RSOAuth2-JWTTokens">JWT Tokens</h4><p>Starting from CXF 3.1.8 some of CXF OAuthDataProvider implementations (EhCache and JCache based) support Access Token representations in JWT. This means that ServerAccessTokens created by data providers are converted to a sequence of JSON JWT claims and then JWS signed and/or JWE encrypted.</p><p>Custom data providers can extend <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java" rel="nofollow">AbstractOAuthDataProvider</a> to depend on the code which converts ServerAccessTokens to JWT and use <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java" rel="nofollow">JwtTokenUtils</a> to convert JOSE token representat
 ions back to ServerAccessToken.</p><p>For example, here is how one can configure an Ehcache or JCache based provider to use JWT:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuthDataProviderImpl"&gt;
+       &lt;property name="useJwtFormatForAccessTokens" value="true"/&gt;
+&lt;/bean&gt;</pre>
+</div></div><p>&#160;</p><p>Additionally, in order to sign and/or encrypt, this provider can be injected with an instance of <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJoseJwtProducer.java" rel="nofollow">OAuthJoseJwtProducer</a> or AccessTokenService endpoint where this provider is registered can be configured as follows:</p><p>&#160;</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;jaxrs:server id="oauthServer1" address="https://localhost:${testutil.ports.jaxrs-oauth2-serviceJwt}/services"&gt;
+ &lt;jaxrs:serviceBeans&gt;
+&#160;&#160; &lt;ref bean="tokenService"/&gt;
+&lt;/jaxrs:serviceBeans&gt;&lt;!-- Sign --&gt;
+&lt;jaxrs:properties&gt;
+ &lt;entry key="rs.security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/&gt;
+ &lt;entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/&gt;
+ &lt;/jaxrs:properties&gt;
+ &lt;/jaxrs:server&gt;</pre>
+</div></div><p>&#160;</p><p>Note that Ehcache and JCache providers will still persist the complete ServerAccessToken representations - once JOSE sequence is created it becomes a new tokenId of the current ServerAccessToken, with the original tokenId becoming a JWT 'jti' claim.</p><p>One can configure the providers to persist access tokens only as these newly created JOSE sequences:</p><p>&#160;</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuthDataProviderImpl"&gt;
+       &lt;property name="useJwtFormatForAccessTokens" value="true"/&gt;
+       &lt;property name="storeJwtTokenKeyOnly" value="true"/&gt;
+&lt;/bean&gt;</pre>
+</div></div><p>Only a JOSE sequence representing a given ServerAccessToken will be persisted. The providers will recreate ServerAccessToken from this sequence when the token is needed by the runtime.</p><p>&#160;</p><p>Resource server (RS) will need to make a decision how to validate this JWT token. It can continue validating it remotely with AccessTokenValidationService or TokenIntrsopectionService (see below for more info about these services) or if RS has an access to the keys used to sign/encrypt JWT then it can use a local JWT validation, example:</p><p>&#160;</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="jwtTokenValidator" class="org.apache.cxf.rs.security.oauth2.filters.JwtAccessTokenValidator"/&gt;
+&lt;bean id="oAuthFilterLocalValidation" class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter"&gt;
+    &lt;property name="tokenValidator" ref="jwtTokenValidator"/&gt;
+&lt;/bean&gt;
+   
+&lt;jaxrs:server 
+    depends-on="tls-config" 
+    address="https://localhost:${testutil.ports.jaxrs-oauth2-filtersJwt}/securedLocalValidation"&gt;
+    &lt;jaxrs:serviceBeans&gt;
+        &lt;ref bean="serviceBean"/&gt;
+    &lt;/jaxrs:serviceBeans&gt;
+    &lt;jaxrs:providers&gt;
+        &lt;ref bean="oAuthFilterLocalValidation"/&gt;
+    &lt;/jaxrs:providers&gt;
+    &lt;jaxrs:properties&gt;
+         &lt;entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/&gt;
+    &lt;/jaxrs:properties&gt;
+&lt;/jaxrs:server&gt;</pre>
+</div></div><p>&#160;</p><p>When to use JWT ? The pros are: might be easier to align with some newer OAuth2 related specifications, might be possible to avoid a remote validation call, possible OAuth2 server storage optimization. Cons: the extra cost of validating (or decrypting), access token value reported to and used by clients becomes larger. If JWS only is used - care should be taken to avoid putting some sensitive JWT claims given that JWS payload can be introspected.</p><p>&#160;</p><p>See <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">JAX-RS JOSE</a> wiki page for more information on how to sign and encrypt JSON Web Tokens.</p><p>&#160;</p><h4 id="JAX-RSOAuth2-Customtokens">Custom tokens</h4><p>If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.</p><h4 id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and
  Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00" rel="nofollow">audience</a> parameter is supported during the client token requests.</p><h3 id="JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</h3><p>org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider is a JAX-RS MessageBodyWriter which supports returning ClientAccessToken and OAuthError representations to the client in a JSON format required by OAuth2 spec. It is also a JAX-RS MessageBodyReader that is used by client OAuthClientUtils (see below) to read the responses from AccessTokenService.</p><p>Register it as a provider with a JAXRS AccessTokenService endpoint.</p><p>Alternatively, if you prefer, a custom MessageBodyWriter implementation can be registered instead.</p><h2 id="JAX-RSOAuth2-AccessTokenValidationService">Access Token Validation Service</h2><h3 id="JAX-RSOAuth2-AccessTokenValidatorService">AccessTokenValid
 atorService</h3><p>The <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java" rel="nofollow">AccessTokenValidatorService</a> is a CXF specific OAuth2 service for accepting the remote access token validation requests. OAuthRequestFilter needs to be injected with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java" rel="nofollow">AccessTokenValidatorClient</a> which will ask AccessTokenValidatorService to return the information relevant to the current access token, before setting up a security context.</p><h3 id="JAX-RSOAuth2-TokenIntrospectionService">TokenIntrospectionService</h3><p>The <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/
 rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java" rel="nofollow">TokenIntrospectionService</a> is a standard OAuth2 service for accepting the remote access token introspection requests. See <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7662" rel="nofollow">RFC 7662</a>. OAuthRequestFilter needs to be injected with <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java" rel="nofollow">AccessTokenIntrospectionClient.</a></p><h2 id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java" rel="nofollow">TokenRevocationS
 ervice</a> is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh tokens they own themselves, please see <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09" rel="nofollow">OAuth2 Token Revocation Draft</a> for more information.</p><p>TokenRevocationService and AccessTokenService share the same code which enforces that the clients have been correctly authenticated.</p><p>Note, OAuthDataProvider implementations processing a revocation request should simply ignore the invalid tokens as recommended by the specification which will let TokenRevocationService return HTTP 200 which is done to minimize a possible attack surface (specifically for bad clients not to see if their requests failed or succeeded) and throw the exceptions only if the token revocation feature is not currently supported.</p><h2 id="JAX-RSOAuth2-DynamicRegistrationService">DynamicRegistrationService</h2><p>This service is currently a 
 work in progress and may become available in CXF 3.1.8 or CXF 3.1.9. It will support the dynamic client <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7591" rel="nofollow">registration</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7592" rel="nofollow">management</a>.</p><h2 id="JAX-RSOAuth2-AuthorizationMetadataService">AuthorizationMetadataService</h2><p>This service is currently a work in progress and may become available in CXF 3.1.8 or CXF 3.1.9. It will support OAuth2 <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-oauth-discovery-04" rel="nofollow">server configuration</a> queries at ".well-known/oauth-authorization-server".</p><h2 id="JAX-RSOAuth2-SupportedGrants">Supported Grants</h2><p>The following subsections briefly describe how the well-known grant types can be supported on the server side. Please also check the "Client Side Support" section on how to use the related <a s
 hape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java" rel="nofollow">AccessTokenGrant</a> implementations to request the access tokens.</p><h3 id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As described above, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java" rel="nofollow">AuthorizationCodeGrantService</a> service and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java" rel="nofollow">AuthorizationCodeDataProvider</a> data provider can support a redirection-based Authorization Code flow.</p><p>The code that
  the client receives in the end of the redirection process will need to be exchanged for a new access token with AccessTokenService. CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java">AuthorizationCodeGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same way Authorization Code grant is except that no code is created, a token is issued immediately and returned to the client running within a web browser.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java" rel="nofollow">ImplicitGrantService</a> service asks <a shape="rect" class="external-
 link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> data provider to issue a new token after a user has approved it.</p><p>Note the only difference is the use of ImplicitGrantService instead of AuthorizationCodeGrantService.</p><p>Also note that when an Implicit grant client (running within a browser) replaces the code grant for a new access token and tries to access the end user's resource, Cross Origin Resource Sharing (CORS) support will most likely need to be enabled on the end user's resource server.<br clear="none"> The simplest approach is to register a CXF <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-cors.html">CORS filter</a>, right before OAuth2 filter (see on it below).</p><p>Starting from CXF 2.7.5 it is possible to request ImplicitGrantService to return a registered Client id to the browser-hosted client. T
 his is recommended so that the client can verify that the token is meant to be delivered to this client.</p><h3 id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3><p>Register <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java" rel="nofollow">ClientCredentialsGrantHandler</a> handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java" rel="nofollow">ClientCredentialsGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</h3><p>Register <a shape="rect
 " class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java" rel="nofollow">ResourceOwnerGrantHandler</a> handler with AccessTokenService for this grant be supported.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java">ResourceOwnerGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The client can issue a refresh token grant if the current access token it owns has expired or been revoked and the refresh token was issued alongside with the access token which is now invalid and get the new, 'refreshed' access token. This can allow the client to avoid seeking a new authorization appr
 oval from the end user.</p><p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java">RefreshTokenGrantHandler</a> handler with AccessTokenService for this grant be supported. Note this grant handler is only useful for refreshing the existing access token, so one or more of the other grant handlers (Authorization Code, Implicit, etc) will also have to be registered with AccessTokenService.</p><p>CXF-based clients can use a helper <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java" rel="nofollow">RefreshTokenGrant</a> bean to request a new access token with OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-SAMLandJWTAssertions">SAML and JWT Assertions</h3><p><a shape="rect" 
 class="external-link" href="https://tools.ietf.org/html/rfc7522" rel="nofollow">SAML2 assertions</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7523" rel="nofollow">JWT assertions</a> can be used as token grants.</p><p>JWT assertion grants are supported in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt" rel="nofollow">this package</a>. <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java" rel="nofollow">JwtBearerAuthHandler</a> can be used as a generic client authentication filter (where the client authenticated with JWT token as opposed to with a username:password pair, etc).</p><p>Please also see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Asse
 rtions</a> section for more information.</p><p>&#160;</p><h3 id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If you need to customize the way the well-known grant requests are handled then consider extending one of the grant handlers listed in the previous sub-sections.</p><p>Alternatively create a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java" rel="nofollow">AccessTokenGrantHandler</a> and register it with AccessTokenService. Additionally, consider providing a related&#160;<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java" rel="nofollow">AccessTokenGrant</a> implementation for making it easy for the client code to request a new access token with this custom grant.</p>
 <h2 id="JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationRequestFilter.java" rel="nofollow">AuthorizationRequestFilter</a> implementations can be registered with AuthorizationCodeGrantService or ImplicitGrantService in order to pre-process code requests. For example, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java" rel="nofollow">JwtRequestCodeFilter</a> can be used to process JWS-signed or JWE-encrypted code requests.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeRes
 ponseFilter.java" rel="nofollow">AuthorizationCodeResponseFilter</a> implementations can be registered with AuthorizationCodeService in order to post-process code responses.</p><h2 id="JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse Filters</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java" rel="nofollow">AccessTokenResponseFilter</a> implementations can be registered with AccessTokenService in order to post-process access token responses. For example,&#160; OIDC IdToken can be added to a response with a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java" rel="nofollow">IdTokenResponseFilter</a>.</p><h2 id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens
 </h2><p>When working with the flows which require the end users/resource owners explicitly authorizing clients (for example, as in the case of redirection-based flows), using pre-authorized access tokens is one option to minimize the need for the end-user intervention. <br clear="none"> OAuthDataProvider is always checked first if the pre-authorized access token for a given Client exists and if yes then it will be returned immediately, without starting the authorization process involving the end user (as required by some flows).</p><p>Consider providing a user interface which will let the end users/resource owners to pre-authorize specific clients early. Note, a CXF service for supporting the users pre-authorizing the clients or revoking the tokens for some of the clients may be introduced in the future.</p><p>Also note that using a refresh token grant may further help with minimizing the end user involvement, in cases when the current access token has expired.</p><h2 id="JAX-RSOAut
 h2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can register custom scopes they will be expected to use and then avoid specifying the scopes when requesting the code grants or access tokens.<br clear="none"> Alternatively it makes it easier to support so called wild-card scopes. For example, a client pre-registers a scope "update" and actually uses an "update-7" scope: Redirection-based services and access token grants can be configured to do a partial scope match, in this case, validate that "update-7" starts from "update"</p><h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="no
 follow">OAuthDataProvider</a> implementation.</p><p>The main task of <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java" rel="nofollow">OAuthDataProvider</a> is to persist and generate access tokens. Additionally, as noted above, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java" rel="nofollow">AuthorizationCodeDataProvider</a> needs to persist and remove the code grant registrations. The way it's done is really application-specific. Consider starting with a basic memory based implementation and then move on to keeping the data in some DB.</p><p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect" class="ex
 ternal-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java" rel="nofollow">OAuthPermission</a>s. AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes are used in the first place).&#160;</p><h3 id="JAX-RSOAuth2-DefaultProviders">Default Providers</h3><p>CXF 3.1.7 ships JPA2 (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java" rel="nofollow">JPAOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java" rel="nofollow">JPACodeDataProvider</a>), Ehcache (<a shape="rect" class="external-link" href="https://github.com/
 apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java" rel="nofollow">DefaultEHCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java" rel="nofollow">DefaultEHCacheCodeDataProvider</a>) and JCache (<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java" rel="nofollow">JCacheOAuthDataProvider</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java" rel="nofollow">JCacheCodeDataProvider</a>) 
 provider implementations which take care of all the persistence tasks: saving or removing registered clients, tokens and code grants. These providers can be easily customized.</p><p>Custom implementations can also extend&#160; <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java" rel="nofollow">AbstractOAuthDataProvider</a> or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java" rel="nofollow">AbstractCodeDataProvider</a>&#160; and only implement their abstract persistence related methods or further customize some of their code.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS endpoints</h2><p>With CXF offering OAuth service implementations and a cust
 om OAuthDataProvider provider in place, it is time to deploy the OAuth2 server. <br clear="none"> Most likely, you'd want to deploy AccessTokenService as an independent JAX-RS endpoint, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;!-- implements OAuthDataProvider --&gt;
 &lt;bean id="oauthProvider" class="oauth.manager.OAuthManager"/&gt;
      



Mime
View raw message