cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1000649 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oidc.html
Date Mon, 07 Nov 2016 11:47:36 GMT
Author: buildbot
Date: Mon Nov  7 11:47:36 2016
New Revision: 1000649

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oidc.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oidc.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oidc.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oidc.html Mon Nov  7 11:47:36 2016
@@ -117,11 +117,11 @@ Apache CXF -- JAX-RS OIDC
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1472215619602 {padding: 0px;}
-div.rbtoc1472215619602 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1472215619602 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1478519220343 {padding: 0px;}
+div.rbtoc1478519220343 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1478519220343 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1472215619602">
+/*]]>*/</style></p><div class="toc-macro rbtoc1478519220343">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOIDC-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</a></li><li><a
shape="rect" href="#JAX-RSOIDC-OIDCIDPsupport">OIDC IDP support</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-OIDCFlowServices">OIDC
Flow Services</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOIDC-AuthorizationCodeFlow">Authorization
Code Flow</a></li><li><a shape="rect" href="#JAX-RSOIDC-ImplicitFlow">Implicit
Flow</a></li><li><a shape="rect" href="#JAX-RSOIDC-HybridFlow">Hybrid
Flow</a></li></ul>
@@ -135,7 +135,7 @@ div.rbtoc1472215619602 li {margin-left:
     &lt;artifactId&gt;cxf-rt-rs-security-sso-oidc&lt;/artifactId&gt;
     &lt;version&gt;3.1.7&lt;/version&gt;
 &lt;/dependency&gt;</pre>
-</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a
shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides
a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a>
which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a>
and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a>
by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java"
rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
 <p>One way to populate it is to register a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java"
rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService.
For example, <a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a>
uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java"
rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared
by Fediz Authenticators and creates IdToken by converting an already available SAML token
to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSub
 ject.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal may
already have a prepared IdToken.&#160;</p><p>The other approach is to create
IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom
OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this
case IdToken will need to be populated first and then converted to either JWS or JWE sequence
and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant
property at the moment the grant is persisted, if it is the implicit flow - set it as a token
property at the moment the token is persisted. This approach is a bit more involved but creating
a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF
JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way
IdToken is created is container/implementation specific. Creati
 ng IdToken is the main requirement for integrating CXF OIDC code with the 3rd party container.</p><p>Finally,
<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java"
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140"
rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">IdTokenProvider</a> to create IdToken at the m
 oment it needs to be returned to the client application.&#160;</p><p>IdToken
can provide enough information for the client application to work with the current user. However,
the client can get more information about the user from OIDC <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo
endpoint</a>.</p><p>CXF provides&#160;<span class="pl-smi">&#160;</span><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java"
rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a>
One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or
  let CXF OIDCUserInfo service create it as described below.</p><h1 id="JAX-RSOIDC-OIDCIDPsupport">OIDC
IDP support</h1><p>Currently CXF OIDC IDP code provides JAX-RS services for supporting
OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth"
rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth"
rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth"
rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all
OIDC response types</a>.</p><p>Services for supporting <a shape="rect"
class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo"
rel="nofollow">UserInfo requests</a> and r
 eturning IdToken <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Signing"
rel="nofollow">signature verification keys</a> are also shipped.&#160;</p><h2
id="JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</h2><h3 id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization
Code Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java"
rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a>
extension which enforces OIDC specific constraints.&#160;</p><p>This service
issues a code grant, while&#160;<a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
returns Access and Id tokens.&#160;</p><p>
 <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java"
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>)
is where IdToken is actually added to the client response.</p><h3 id="JAX-RSOIDC-ImplicitFlow">Implicit
Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java"
rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService extension
which enforces OIDC specific constraints and adds IdToken to the client response.&#160;</p><h3
id="JAX-RSOIDC-HybridFlow">Hybrid Flow</h3><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc
 /src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java" rel="nofollow">OidcHybridService</a>
supports Hybrid Flow by delegating to both <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java"
rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java"
rel="nofollow">OidcAuthorizationCodeService</a>.&#160;</p><h2 id="JAX-RSOIDC-UserInfoEndpoint">UserInfo
Endpoint</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java"
rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect"
class="external-link" href="https://g
 ithub.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing
IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java"
rel="nofollow">UserInfoService</a> is accessed by a client which uses the access
token issued to it during the user authentication process.</p><h2 id="JAX-RSOIDC-JWKKeysService">JWK
Keys Service</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apach
 e/cxf/rs/security/oidc/idp/OidcKeysService.java" rel="nofollow">OidcKeysService</a>
returns a JWK key set containing a public verification JWK key. By default only a public key
is returned but the service can also be configured for JWK key to include the corresponding&#160;
X509 certificate chain too.&#160; Use this service if IdToken is signed by a private RSA
or EC key for the client be able to fetch the verification keys without having to import them
into local key stores.</p><p>&#160;</p><h2 id="JAX-RSOIDC-OidcDynamicRegistrationService">OidcDynamicRegistrationService</h2><p>&#160;</p><p>This
service is currently a work in progress and may become available in CXF 3.1.8 or CXF 3.1.9.
It will support the dynamic client <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7591"
rel="nofollow">registration</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7592"
rel="nofollow">management</a> with <a shape="rect" class="external-l
 ink" href="http://openid.net/specs/openid-connect-registration-1_0.html" rel="nofollow">OIDC
specific properties</a> being handled too.</p><p>&#160;</p><h2
id="JAX-RSOIDC-OidcConfigurationService">OidcConfigurationService</h2><p>&#160;</p><p>This
service is currently a work in progress and may become available in CXF 3.1.8 or CXF 3.1.9.
It will support OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig"
rel="nofollow">server configuration</a> queries at ".well-known/openid-configuration".</p><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L89"
rel="nofollow"><br clear="none"></a></p><h1 id="JAX-RSOIDC-FedizOIDCIDP">Fediz
OIDC IDP</h1><p><a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz
OIDC</a> project provides a reference integration between CXF OIDC IDP code and Fediz
Authentication Syst
 em. It has <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html"
rel="nofollow">OIDC Core</a> supported with a minimum amount of code and configuration.</p><p>It
creates IdToken in a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java"
rel="nofollow">SubjectCreator</a> as described above. Currently it depends on CXF
Ehcache <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47"
rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is needed.
Besides that it provides a support for managing the client registrations. <a shape="rect"
class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml"
rel="nofollow">It registers</a>
  OIDC services as JAX-RS endpoints.</p><p>While some implementation details may
change going forward (example, the alternative data provider may get introduced, etc), for
the most part it shows that creating IdToken is what is really needed to get the container
integrated with the CXF OIDC code.</p><h1 id="JAX-RSOIDC-OIDCRPsupport">OIDC RP
support</h1><p>OIDC RP client support is needed for the client application to
redirect a user to OIDC IDP, get and validate IdToken, optionally get UserInfo, and make both
IdToken and UserInfo easily accessible to the client application code.</p><h2 id="JAX-RSOIDC-Demos">Demos</h2><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query"
rel="nofollow">BigQuery</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java"
rel="
 nofollow">demo service</a> is OAuth2 client which relies on CXF OIDC RP code to
support interacting with the user, redirecting the user to Google to authenticate, and validating
IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization
Code Flow). The demo service uses IdToken to address the user correctly and the access token
to access the user's resources as authorized by the user.</p><p>For example, the
context is <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L51"
rel="nofollow">injected</a> and used to get <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68"
rel="nofollow">the access token</a> and <a shape="rect" class="external-link"
href="https://git
 hub.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75"
rel="nofollow">the user info</a>. See <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70"
rel="nofollow">the context</a> with the comments on how to configure RP filters.</p><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc"
rel="nofollow">BasicOidc</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java"
rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS server.
This server works with an HTTP Browser client which uses Google script libraries to 
 get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client
interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the
demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in
its code</p><p>&#160;</p><p>&#160;</p></div>
+</div></div><h1 id="JAX-RSOIDC-IdTokenandUserInfo">IdToken and UserInfo</h1><p><a
shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken"
rel="nofollow">IdToken</a> is a primary extension that OIDC makes to OAuth2. It provides
a collection of claims describing the authenticated user. IdToken is a secured <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JSONWebToken">JWT token</a>
which is <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWSSignature">JWS-signed</a>
and/or <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption">JWE-encrypted</a>
by OIDC IDP.</p><p>CXF provides <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java"
rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.IdToken</a>.</p>
 <p>One way to populate it is to register a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java"
rel="nofollow">SubjectCreator</a> with either OidcAuthorizationCodeService or OidcImplicitService.
For example, <a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz OIDC</a>
uses the <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java"
rel="nofollow">following SubjectCreator:</a> it accesses a user principal prepared
by Fediz Authenticators and creates IdToken by converting an already available SAML token
to IdToken and sets it on <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSub
 ject.java" rel="nofollow">OidcUserSubject</a>. In other cases a user principal may
already have a prepared IdToken.&#160;</p><p>The other approach is to create
IdToken in a <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-WritingOAuthDataProvider">custom
OAuthDataProvider</a> at the moment a code grant or access token is persisted. In this
case IdToken will need to be populated first and then converted to either JWS or JWE sequence
and saved as a grant or token "id_token" property: if it is a code flow then set it as a grant
property at the moment the grant is persisted, if it is the implicit flow - set it as a token
property at the moment the token is persisted. This approach is a bit more involved but creating
a JWS or JWS IdToken representations with <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-jose.html">CXF
JOSE</a> is straightforward.&#160; &#160;</p><p>In general the way
IdToken is created is container/implementation specific. Creati
 ng IdToken is the main requirement for integrating CXF OIDC code with the 3rd party container.</p><p>Finally,
<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java"
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
to complete the authorization code flow) or <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java#L140"
rel="nofollow">OidcImplicitService</a> can ask <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">IdTokenProvider</a> to create IdToken at the m
 oment it needs to be returned to the client application.&#160;</p><p>IdToken
can provide enough information for the client application to work with the current user. However,
the client can get more information about the user from OIDC <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo" rel="nofollow">UserInfo
endpoint</a>.</p><p>CXF provides&#160;<span class="pl-smi">&#160;</span><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java"
rel="nofollow"><span class="pl-smi">org.apache.cxf.rs.security.oidc.common</span>.UserInfo.</a>
One can create and set it at <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a> at the same time IdToken is created or
  let CXF OIDCUserInfo service create it as described below.</p><h1 id="JAX-RSOIDC-OIDCIDPsupport">OIDC
IDP support</h1><p>Currently CXF OIDC IDP code provides JAX-RS services for supporting
OIDC <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth"
rel="nofollow">Authorization Code</a>, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth"
rel="nofollow">Implicit</a> and <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth"
rel="nofollow">Hybrid</a> flows. These services support <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication" rel="nofollow">all
OIDC response types</a>.</p><p>Services for supporting <a shape="rect"
class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#UserInfo"
rel="nofollow">UserInfo requests</a> and r
 eturning IdToken <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#Signing"
rel="nofollow">signature verification keys</a> are also shipped.&#160;</p><h2
id="JAX-RSOIDC-OIDCFlowServices">OIDC Flow Services</h2><h3 id="JAX-RSOIDC-AuthorizationCodeFlow">Authorization
Code Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java"
rel="nofollow">OidcAuthorizationCodeService</a> is a simple <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AuthorizationService">AuthorizationCodeGrantService</a>
extension which enforces OIDC specific constraints.&#160;</p><p>This service
issues a code grant, while&#160;<a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
returns Access and Id tokens.&#160;</p><p>
 <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java"
rel="nofollow">IdTokenResponseFilter</a> (used by <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>)
is where IdToken is actually added to the client response.</p><h3 id="JAX-RSOIDC-ImplicitFlow">Implicit
Flow</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java"
rel="nofollow">OidcImplicitService</a> is a simple ImplicitGrantService extension
which enforces OIDC specific constraints and adds IdToken to the client response.&#160;</p><h3
id="JAX-RSOIDC-HybridFlow">Hybrid Flow</h3><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc
 /src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java" rel="nofollow">OidcHybridService</a>
supports Hybrid Flow by delegating to both <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java"
rel="nofollow">OidcImplicitService</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java"
rel="nofollow">OidcAuthorizationCodeService</a>.&#160;</p><h2 id="JAX-RSOIDC-UserInfoEndpoint">UserInfo
Endpoint</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java"
rel="nofollow">UserInfoService</a> returns UserInfo. It checks <a shape="rect"
class="external-link" href="https://g
 ithub.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java"
rel="nofollow">UserInfoProvider</a> first, next - <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java"
rel="nofollow">OidcUserSubject</a>, and finally it defaults to converting the existing
IdToken to UserInfo.</p><p>Note <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java"
rel="nofollow">UserInfoService</a> is accessed by a client which uses the access
token issued to it during the user authentication process.</p><h2 id="JAX-RSOIDC-JWKKeysService">JWK
Keys Service</h2><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apach
 e/cxf/rs/security/oidc/idp/OidcKeysService.java" rel="nofollow">OidcKeysService</a>
returns a JWK key set containing a public verification JWK key. By default only a public key
is returned but the service can also be configured for JWK key to include the corresponding&#160;
X509 certificate chain too.&#160; Use this service if IdToken is signed by a private RSA
or EC key for the client be able to fetch the verification keys without having to import them
into local key stores.</p><p>&#160;</p><h2 id="JAX-RSOIDC-OidcDynamicRegistrationService">OidcDynamicRegistrationService</h2><p>&#160;</p><p>This
service is available starting from CXF 3.1.8. It supports the dynamic client <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7591" rel="nofollow">registration</a>
and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7592" rel="nofollow">management</a>
with <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-
 registration-1_0.html" rel="nofollow">OIDC specific properties</a> being handled
too. At the moment some of the advanced registration properties are not yet processed and
linked to the way the core OIDC services operate but the service will be enhanced as needed
going forward.</p><p>&#160;</p><h2 id="JAX-RSOIDC-OidcConfigurationService">OidcConfigurationService</h2><p>&#160;</p><p>This
service is available starting from CXF 3.1.8. It supports OIDC <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig" rel="nofollow">server
configuration</a> queries at ".well-known/openid-configuration".</p><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml#L89"
rel="nofollow"><br clear="none"></a></p><h1 id="JAX-RSOIDC-FedizOIDCIDP">Fediz
OIDC IDP</h1><p><a shape="rect" href="https://cxf.apache.org/fediz-oidc.html">Fediz
OIDC</a> proj
 ect provides a reference integration between CXF OIDC IDP code and Fediz Authentication System.
It has <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html"
rel="nofollow">OIDC Core</a> supported with a minimum amount of code and configuration.</p><p>It
creates IdToken in a custom <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java"
rel="nofollow">SubjectCreator</a> as described above. Currently it depends on CXF
Ehcache <a shape="rect" class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/services/oidc/src/main/webapp/WEB-INF/data-manager.xml#L47"
rel="nofollow">OAuthDataProvider</a> OOB so no custom persistence code is needed.
Besides that it provides a support for managing the client registrations. <a shape="rect"
class="external-link" href="https://github.com/apache/cxf-fediz/blob/master/s
 ervices/oidc/src/main/webapp/WEB-INF/applicationContext.xml" rel="nofollow">It registers</a>
OIDC services as JAX-RS endpoints.</p><p>While some implementation details may
change going forward (example, the alternative data provider may get introduced, etc), for
the most part it shows that creating IdToken is what is really needed to get the container
integrated with the CXF OIDC code.</p><h1 id="JAX-RSOIDC-OIDCRPsupport">OIDC RP
support</h1><p>OIDC RP client support is needed for the client application to
redirect a user to OIDC IDP, get and validate IdToken, optionally get UserInfo, and make both
IdToken and UserInfo easily accessible to the client application code.</p><h2 id="JAX-RSOIDC-Demos">Demos</h2><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/big_query"
rel="nofollow">BigQuery</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/
 release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java" rel="nofollow">demo
service</a> is OAuth2 client which relies on CXF OIDC RP code to support interacting
with the user, redirecting the user to Google to authenticate, and validating IdToken returned
from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow).
The demo service uses IdToken to address the user correctly and the access token to access
the user's resources as authorized by the user.</p><p>For example, the context
is <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L51"
rel="nofollow">injected</a> and used to get <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L68"
rel
 ="nofollow">the access token</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java#L75"
rel="nofollow">the user info</a>. See <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml#L70"
rel="nofollow">the context</a> with the comments on how to configure RP filters.</p><p><a
shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/basic_oidc"
rel="nofollow">BasicOidc</a> <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/jax_rs/basic_oidc/src/main/java/demo/jaxrs/server/IdTokenService.java"
rel="nofollow">demo service</a> is not an OAuth2 client, but a basic JAX-RS 
 server. This server works with an HTTP Browser client which uses Google script libraries
to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser
client interacts with CXF OIDC RP code to get IdToken validated and then posts this token
to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible
in its code</p><p>&#160;</p><p>&#160;</p></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message