cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject New OAuthDataProvider methods on the trunkk/3.1.x
Date Mon, 28 Dec 2015 16:16:52 GMT

I had to update OAuthDataProvider interface and add two methods for 
listing the access and refresh tokens associated with a given OAuth2 
client. Also, AuthorizationCodeDataProvider which extends 
OAuthDataProvider has a new method for listing the pending code grants 
associated with a given Client, so we have

List<ServerAccessToken> getAccessTokens(Client)
List<RefreshToken> getRefreshTokens(Client)
List<ServerAuthorizationCode> getCodeGrants(Client)

The reason I've done it is that it has become obvious OAuthDataProvider 
interface supports managing the existing tokens/grants in a very limited 
way. It is really important from a management point of view to show all 
the access and/or tokens associated with a given client or user.

I could've introduced new interfaces and made only the utility 
(AbstractOAuthDataProvider) provider shipped with CXF implement them but 
I did not because:
- I felt like that it would add an extra 'noise' into an already complex 
OAuth2 runtime/API - after all, listing the existing tokens is quite a 
fundamental thing which would not be a new 'challenge' for the existing 
provider implementations - they store the tokens, can extract them by 
their ids, so obviously they can get them listed too

I had to do it for 3.1.5-SNAPSHOT because the OIDC module we do in Fediz 
does depend on 3.1.5-SNAPSHOT and we can not wait till 3.2.0 gets 
released (which is quite far away at this point of time).

Hope those who are working with CXF 3.1.4 and doing some custom OAuth2 
servers will not find it difficult to migrate. However if someone thinks 
it can pose some problems for their productions (and this is why I send 
this mail to users) then I can revisit the idea of getting the above 
methods added to dedicated interfaces. Let me know in this thread or 
contact me privately if you prefer

FYI, besides the above changes I've deprecated
OAuthDataProvider.removeAccessToken but will remove it only in 
3.2.0-SNAPSHOT (master). The reason being is that OAuthDataProvider also 
has a revokeToken accepting a token hint which is part of the standard 
oAuth2 token revocation API.
Removing OAuthDataProvider.removeAccessToken will make this interface a 
bit more minimalistic

Thanks Sergey

View raw message