cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: FEDIZ-172 - OIDC DataProvider should support client_credentials clients
Date Tue, 02 Aug 2016 09:25:03 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master b45b3b7b2 -> dd35349be


FEDIZ-172 - OIDC DataProvider should support client_credentials clients


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/dd35349b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/dd35349b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/dd35349b

Branch: refs/heads/master
Commit: dd35349be0e960854774c546713b8a368de39abb
Parents: b45b3b7
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Aug 2 10:24:19 2016 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Aug 2 10:24:19 2016 +0100

----------------------------------------------------------------------
 .../service/oidc/OAuthDataProviderImpl.java     |  49 +++-
 systests/oidc/pom.xml                           |  42 ++++
 .../cxf/fediz/systests/oidc/OIDCTest.java       |  21 ++
 .../test/resources/oidc/applicationContext.xml  | 230 +++++++++++++++++++
 .../src/test/resources/oidc/data-manager.xml    |  87 +++++++
 systests/oidc/src/test/resources/sts.jaas       |  10 +
 6 files changed, 437 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/dd35349b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
index 16bd697..43bd6de 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
@@ -21,7 +21,16 @@ package org.apache.cxf.fediz.service.oidc;
 import java.security.Principal;
 import java.util.Collections;
 import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.interceptor.security.NamePasswordCallbackHandler;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
@@ -31,7 +40,12 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class OAuthDataProviderImpl extends DefaultEHCacheCodeDataProvider {
     
+    private static final Logger LOG = LogUtils.getL7dLogger(OAuthDataProviderImpl.class);
+    
     private boolean checkOnlyRegisteredClients;
+    private String contextName;
+    private Configuration loginConfig;
+
     
     @Override
     public Client getClient(String clientId) {
@@ -76,13 +90,44 @@ public class OAuthDataProviderImpl extends DefaultEHCacheCodeDataProvider
{
     }
     
     protected Client authenticateClient(String clientId, String clientSecret) {
-        // If the authentication is successful: 
-        // return new Client(clientId, clientSecret, true)
+        if (contextName != null) {
+            try {
+                // Login using JAAS
+                CallbackHandler callbackHandler = 
+                    new NamePasswordCallbackHandler(clientId, clientSecret);
+                LoginContext ctx = new LoginContext(getContextName(), null, callbackHandler,
loginConfig);  
+                ctx.login();
+                Client client = new Client(clientId, clientSecret, true);
+                client.setAllowedGrantTypes(Collections.singletonList(OAuthConstants.CLIENT_CREDENTIALS_GRANT));
+                ctx.logout();
+                return client;
+            } catch (LoginException ex) {
+                ex.printStackTrace();
+                String errorMessage = "Authentication failed: " + ex.getMessage();
+                LOG.log(Level.FINE, errorMessage, ex);
+            }
+        }
         return null;
     }
 
     public void setCheckOnlyRegisteredClients(boolean checkOnlyRegisteredClients) {
         this.checkOnlyRegisteredClients = checkOnlyRegisteredClients;
     }
+    
+    public String getContextName() {
+        return contextName;
+    }
+
+    public void setContextName(String contextName) {
+        this.contextName = contextName;
+    }
+
+    public Configuration getLoginConfig() {
+        return loginConfig;
+    }
+
+    public void setLoginConfig(Configuration loginConfig) {
+        this.loginConfig = loginConfig;
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/dd35349b/systests/oidc/pom.xml
----------------------------------------------------------------------
diff --git a/systests/oidc/pom.xml b/systests/oidc/pom.xml
index 5639f37..57f3e69 100644
--- a/systests/oidc/pom.xml
+++ b/systests/oidc/pom.xml
@@ -99,6 +99,16 @@
             <version>${cxf.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+	        <groupId>org.apache.cxf</groupId>
+	        <artifactId>cxf-rt-ws-security</artifactId>
+	        <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-ws-policy</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
     </dependencies>
     <build>
         <testResources>
@@ -197,6 +207,17 @@
                             </artifactItems>
                         </configuration>
                     </execution>
+                    <execution>
+                        <id>copy-extra-jars-to-oidc</id>
+                        <phase>package</phase>
+                        <goals>
+                          <goal>copy-dependencies</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/tomcat/rp/webapps/fediz-oidc/WEB-INF/lib</outputDirectory>
+                             <includeScope>compile</includeScope>
+                        </configuration>
+                    </execution>
                 </executions>
             </plugin>
             <plugin>
@@ -222,6 +243,26 @@
                             </resources>              
                         </configuration>            
                     </execution>
+                    <execution>
+                        <id>copy-entities-to-oidc</id>
+                        <phase>generate-test-sources</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/tomcat/rp/webapps/fediz-oidc/WEB-INF</outputDirectory>
+                            <resources>          
+                                <resource>
+                                    <directory>${basedir}/src/test/resources/oidc</directory>
+                                    <includes>
+                                        <include>applicationContext.xml</include>
+                                        <include>data-manager.xml</include>
+                                    </includes>
+                                    <filtering>true</filtering>
+                                </resource>
+                            </resources>              
+                        </configuration>            
+                    </execution>
                 </executions>
             </plugin>
             <plugin>
@@ -261,6 +302,7 @@
                                 <idp.https.port>${idp.https.port}</idp.https.port>
                                 <rp.https.port>${rp.https.port}</rp.https.port>
                                 <java.io.tmpdir>${basedir}/target</java.io.tmpdir>
+                                <java.security.auth.login.config>src/test/resources/sts.jaas</java.security.auth.login.config>
                             </systemPropertyVariables>
                             <includes>
                                 <include>**/systests/**</include>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/dd35349b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
----------------------------------------------------------------------
diff --git a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
index ccb3bc9..627e44e 100644
--- a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
+++ b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
@@ -632,6 +632,27 @@ public class OIDCTest {
         webClient.close();
     }
     
+    @org.junit.Test
+    public void testClientCredentialsSTS() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/oauth2/token";
+        WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
+
+        request.setRequestParameters(new ArrayList<NameValuePair>());
+        request.getRequestParameters().add(new NameValuePair("client_id", "alice"));
+        request.getRequestParameters().add(new NameValuePair("client_secret", "ecila"));
+        request.getRequestParameters().add(new NameValuePair("grant_type", "client_credentials"));
+        
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getOptions().setJavaScriptEnabled(false);
+        final UnexpectedPage responsePage = webClient.getPage(request);
+        String response = responsePage.getWebResponse().getContentAsString();
+
+        Assert.assertTrue(response.contains("access_token"));
+        
+        webClient.close();
+    }
+    
     private static WebClient setupWebClient(String user, String password, String idpPort)
{
         final WebClient webClient = new WebClient();
         webClient.getOptions().setUseInsecureSSL(true);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/dd35349b/systests/oidc/src/test/resources/oidc/applicationContext.xml
----------------------------------------------------------------------
diff --git a/systests/oidc/src/test/resources/oidc/applicationContext.xml b/systests/oidc/src/test/resources/oidc/applicationContext.xml
new file mode 100644
index 0000000..2eefe27
--- /dev/null
+++ b/systests/oidc/src/test/resources/oidc/applicationContext.xml
@@ -0,0 +1,230 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:cxf="http://cxf.apache.org/core"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:jaxrs="http://cxf.apache.org/jaxrs" 
+    xmlns:util="http://www.springframework.org/schema/util"
+    xmlns:http="http://cxf.apache.org/transports/http/configuration"
+    xmlns:sec="http://cxf.apache.org/configuration/security"
+    xsi:schemaLocation="
+        http://cxf.apache.org/core
+        http://cxf.apache.org/schemas/core.xsd
+		http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+        http://cxf.apache.org/jaxrs
+        http://cxf.apache.org/schemas/jaxrs.xsd
+        http://www.springframework.org/schema/util 
+        http://www.springframework.org/schema/util/spring-util.xsd
+        http://cxf.apache.org/transports/http/configuration
+        http://cxf.apache.org/schemas/configuration/http-conf.xsd
+        http://cxf.apache.org/configuration/security
+        http://cxf.apache.org/schemas/configuration/security.xsd">
+
+	<cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+		
+    <import resource="data-manager.xml" />
+    
+    <!-- Supports OIDC Authorization Code flow -->
+    <bean id="oidcAuthorizationService" class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService">
+         <property name="dataProvider" ref="oauthProvider"/>
+         <property name="subjectCreator" ref="subjectCreator"/>
+         <property name="skipAuthorizationWithOidcScope" value="true"/>
+         <!--
+         <property name="useAllClientScopes" value="true"/>
+         -->
+         <property name="canSupportPublicClients" value="true"/>
+    </bean>
+    <!-- Supports OIDC Implicit and Hybrid flows -->
+    <bean id="oidcHybridService" class="org.apache.cxf.rs.security.oidc.idp.OidcHybridService">
+         <property name="dataProvider" ref="oauthProvider"/>
+         <property name="subjectCreator" ref="subjectCreator"/>
+         <property name="skipAuthorizationWithOidcScope" value="true"/>
+         <property name="responseFilter" ref="idTokenFilter"/>
+         <property name="codeService" ref="oidcAuthorizationService"/>
+    </bean>
+    
+    <util:list id="oidcServices">
+        <ref bean="oidcAuthorizationService"/>
+        <ref bean="oidcHybridService"/>
+    </util:list>
+    
+    <!-- Service which makes Code, Implicit and Hybrid flow available 
+         at the same relative "/authorize" address -->
+    <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationService">
+         <property name="services" ref="oidcServices"/>
+    </bean>
+    
+    <!-- Service supporting all OIDC Core flows -->
+    <jaxrs:server address="/idp">
+        <jaxrs:serviceBeans>
+           <ref bean="authorizationService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="viewProvider"/>
+            <ref bean="oauthJsonProvider"/>
+        </jaxrs:providers>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+            <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
+    <!-- 
+         Public JWK Key Service: Disable it if the client secret is used or if 
+         pre-installing public OIDC keys to clients is preferred
+    --> 
+    <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
+    <jaxrs:server address="/jwk">
+        <jaxrs:serviceBeans>
+           <ref bean="oidcKeysService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/>
+        </jaxrs:providers>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+            <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+        </jaxrs:properties>
+    </jaxrs:server>
+    
+    
+    <bean id="oauth2TokenValidationFilter" class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
+         <property name="dataProvider" ref="oauthProvider"/>
+         <property name="audienceIsEndpointAddress" value="false"/>
+    </bean>
+     
+    <!-- User Info Service --> 
+    <bean id="userInfoService" class="org.apache.cxf.rs.security.oidc.idp.UserInfoService">
+        <property name="oauthDataProvider" ref="oauthProvider"/>
+        <property name="jwsRequired" value="false"/>
+    </bean>
+    <jaxrs:server address="/users">
+        <jaxrs:serviceBeans>
+           <ref bean="userInfoService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/>
+            <ref bean="oauth2TokenValidationFilter"/>
+        </jaxrs:providers>
+    </jaxrs:server>
+    
+    <bean id="keyPasswordProvider" class="org.apache.cxf.fediz.service.oidc.PrivateKeyPasswordProviderImpl"/>
+    
+    <!-- Client Registration Service -->
+    <bean id="clientRegService" init-method="init" 
+       class="org.apache.cxf.fediz.service.oidc.clients.ClientRegistrationService">
+       <property name="dataProvider" ref="oauthProvider"/>
+       <property name="clientProvider" ref="oauthProvider"/>
+       <!-- 
+           <property name="clientScopes" ref="supportedScopes"/>
+       -->
+       <property name="homeRealms">
+          <map>
+            <entry key="urn:org:apache:cxf:fediz:idp:realm-A" value="IDP of Realm A" />
+            <entry key="urn:org:apache:cxf:fediz:idp:realm-B" value="IDP of Realm B" />
+          </map>
+       </property>
+    </bean>
+    
+    <!-- Console linking to the client registration service -->
+    <bean id="consoleService" class="org.apache.cxf.fediz.service.oidc.console.UserConsoleService">
+        <property name="clientRegService" ref="clientRegService"/>
+    </bean>
+    <jaxrs:server address="/console">
+        <jaxrs:serviceBeans>
+            <ref bean="consoleService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="viewProvider"/>
+        </jaxrs:providers> 
+    </jaxrs:server>
+    
+    <bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
+       <property name="useClassNames" value="true"/>
+       <property name="locationPrefix" value="/WEB-INF/views/"/>
+       <property name="beanName" value="data"/>
+       <property name="dispatcherName" value="jsp"/>
+       <property name="resourcePaths">
+            <map>
+              <entry key="/remove" value="/WEB-INF/views/registeredClients.jsp"/>
+            </map>
+       </property>
+       <property name="classResources">
+            <map>
+              <entry key="org.apache.cxf.fediz.service.oidc.clients.InvalidRegistration"
value="/WEB-INF/views/invalidRegistration.jsp"/>
+            </map>
+       </property>
+    </bean>
+    
+    <!-- AccessTokenService response filter which adds IdTokens to client responses -->
+    <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter">
+      <!--
+        <property name="signWithClientSecret" value="true"/>
+      -->
+    </bean>
+    <bean id="refreshTokenHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler">
+        <property name="dataProvider" ref="oauthProvider"/>
+    </bean>
+     <bean id="clientCredsHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler">
+        <property name="dataProvider" ref="oauthProvider"/>
+    </bean>
+    <!-- Access Token service -->
+    <bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+        <property name="dataProvider" ref="oauthProvider"/>
+        <property name="responseFilter" ref="idTokenFilter"/>
+        <property name="grantHandler" ref="clientCredsHandler"/>
+        <property name="canSupportPublicClients" value="true"/>
+    </bean>
+    <!-- Access Token Introspection service -->
+    <bean id="accessTokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService">
+        <property name="dataProvider" ref="oauthProvider"/>
+        <property name="blockUnauthorizedRequests" value="false"/> 
+    </bean>
+    <bean id="oauthJsonProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
+    <jaxrs:server address="/oauth2">
+        <jaxrs:serviceBeans>
+            <ref bean="accessTokenService"/>
+            <ref bean="accessTokenIntrospectionService"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+           <ref bean="oauthJsonProvider"/>
+        </jaxrs:providers>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+            <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+        </jaxrs:properties>
+     </jaxrs:server>
+     
+     <http:conduit name="*.http-conduit">
+        <http:tlsClientParameters
+            disableCNCheck="true">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="tompass" resource="server.jks" />
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
+     
+</beans>
+

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/dd35349b/systests/oidc/src/test/resources/oidc/data-manager.xml
----------------------------------------------------------------------
diff --git a/systests/oidc/src/test/resources/oidc/data-manager.xml b/systests/oidc/src/test/resources/oidc/data-manager.xml
new file mode 100644
index 0000000..3397962
--- /dev/null
+++ b/systests/oidc/src/test/resources/oidc/data-manager.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="
+        http://www.springframework.org/schema/beans
+        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+        http://www.springframework.org/schema/util 
+        http://www.springframework.org/schema/util/spring-util.xsd
+        ">
+    
+    <bean id="applicationContextProvider" class="org.apache.cxf.fediz.service.oidc.handler.hrd.ApplicationContextProvider"/>
+
+    <!-- List of accepted scopes -->
+    <util:map id="supportedScopes">
+        <entry key="openid" value="Access the authentication claims" />
+        <entry key="refreshToken" value="Refresh access tokens" />
+    </util:map>
+    
+    <!-- 
+        List of required scopes that must be available in request URIs when
+        client redirects users to OIDC
+    -->
+    <util:list id="coreScopes">
+        <value>openid</value>
+    </util:list>
+    
+    <!-- 
+        Typically the scopes authorized by the user will be reported back to the client,
+        reporting an approved refreshToken scope is currently disabled  
+    -->
+    <util:list id="invisibleToClientScopes">
+        <value>refreshToken</value>
+    </util:list>
+    
+    <!-- 
+        To support the alternative data persistence strategies: either register a custom
+        AbstractCodeDataProvider extension or implement AuthorizationCodeDataProvider directly
+    -->     
+    <bean id="oauthProvider" 
+          class="org.apache.cxf.fediz.service.oidc.OAuthDataProviderImpl"
+          init-method="init" destroy-method="close">
+        <!-- List of accepted scopes -->  
+        <property name="supportedScopes" ref="supportedScopes"/>
+        <!-- 
+             List of scopes that the consent/authorization form should make 
+             selected by default. For example, asking a user to do an extra click
+             to approve an "oidc" scope is a redundant operation because this scope
+             is required anyway.
+        -->
+        <property name="defaultScopes" ref="coreScopes"/>
+        
+        <property name="invisibleToClientScopes" ref="invisibleToClientScopes"/>
+        <!--
+        <property name="accessTokenLifetime" value="3600"/>
+        -->
+        <!--
+        <property name="supportPreauthorizedTokens" value="true"/>
+        -->
+        <property name="contextName" value="sts"/>
+    </bean>
+
+    <!-- Custom SubjectCreator where IdToken is created -->    
+    <bean id="subjectCreator" class="org.apache.cxf.fediz.service.oidc.FedizSubjectCreator">
+        <property name="idTokenIssuer" value="accounts.fediz.com"/>
+    </bean>
+         
+</beans>
+

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/dd35349b/systests/oidc/src/test/resources/sts.jaas
----------------------------------------------------------------------
diff --git a/systests/oidc/src/test/resources/sts.jaas b/systests/oidc/src/test/resources/sts.jaas
new file mode 100644
index 0000000..fdb759e
--- /dev/null
+++ b/systests/oidc/src/test/resources/sts.jaas
@@ -0,0 +1,10 @@
+
+sts {
+    org.apache.cxf.ws.security.trust.STSLoginModule required 
+    require.roles="true"
+    disable.on.behalf.of="true"
+    wsdl.location="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl"
+    service.name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"
+    endpoint.name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}TransportUT_Port";
+};
+


Mime
View raw message