jax-rs-oauth2.html

buildbot Thu, 06 Jun 2013 04:48:43 -0700

Author: buildbot
Date: Thu Jun  6 11:48:04 2013
New Revision: 864656

Log:
Production update by buildbot for cxf


Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu Jun  6 11:48:04 
2013
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth2
 
 
 <div>
-<ul><li><a shape="rect" 
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client 
Registration</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 
Servers</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-AuthorizationService">Authorization 
Service</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in 
Authorization Form</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-PublicClients%28Devices%29andOOBResponse">Public Clients 
(Devices) and OOB Response</a></li></ul><li><a shape="rect" 
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a 
shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token 
Types</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-MA
 C">MAC</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-CustomandEncryptedtokens">Custom and Encrypted 
tokens</a></li></ul><li><a shape="rect" 
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
 shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported 
Grants</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource 
Owner Password Credentials</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul><li><a 
shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized acc
 ess tokens</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Preregisteredscopes">Pre-registered scopes</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing 
OAuthDataProvider</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS 
endpoints</a></li></ul><li><a shape="rect" 
href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client 
Authentication</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session 
Authenticity</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End 
User Subject initialization</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources 
with OAuth filters</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login 
name</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a
  shape="rect" 
href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the 
Explicit Authorization</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a 
Browser</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error 
details</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Designconsiderations">Design 
considerations</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the 
Access to Resource Server</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing 
the same access path between end users and clients</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
 different access points to end users and clients</a></li></ul><li><a 
shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign 
On</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-WhatI
 sNext">What Is Next</a></li></ul></div>
+<ul><li><a shape="rect" 
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client 
Registration</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 
Servers</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-AuthorizationService">Authorization 
Service</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in 
Authorization Form</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-PublicClients%28Devices%29andOOBResponse">Public Clients 
(Devices) and OOB Response</a></li></ul><li><a shape="rect" 
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a 
shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token 
Types</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-MA
 C">MAC</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-CustomandEncryptedtokens">Custom and Encrypted 
tokens</a></li></ul><li><a shape="rect" 
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
 shape="rect" 
href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a
 shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported 
Grants</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource 
Owner Password Credentials</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a
 ></li></ul><li><a shape="rect" 
 >href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access 
 >tokens</a></li><li><a shape="rect" 
 >href="#JAX-RSOAuth2-Preregisteredscopes">Pre-registered scopes</a></li><li><a 
 >shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing 
 >OAuthDataProvider</a></li><li><a shape="rect" 
 >href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS 
 >endpoints</a></li></ul><li><a shape="rect" 
 >href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client 
 >Authentication</a></li><li><a shape="rect" 
 >href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session 
 >Authenticity</a></li><li><a shape="rect" 
 >href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End 
 >User Subject initialization</a></li><li><a shape="rect" 
 >href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources 
 >with OAuth filters</a></li><li><a shape="rect" 
 >href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login 
 >name</a></l
 i><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side 
support</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the 
Explicit Authorization</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a 
Browser</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error 
details</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Designconsiderations">Design 
considerations</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the 
Access to Resource Server</a></li><ul><li><a shape="rect" 
href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing 
the same access path between end users and clients</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
 different access points to end users and clients</a></li></ul><li><a 
shape="rect" href="#JAX-R
 SOAuth2-SingleSignOn">Single Sign On</a></li></ul></ul></div>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
 
@@ -535,6 +535,15 @@ Authorization: MAC id=<span class="code-
 <h3><a shape="rect" 
name="JAX-RSOAuth2-AccessTokenValidationService"></a>AccessTokenValidationService
 </h3>
 <p>The  <a shape="rect" class="external-link" 
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java";>AccessTokenValidationService</a>
 is a CXF specific OAuth2 service for accepting the remote access token 
validation requests. Typically, OAuthRequestFilter (see on it below) may choose 
to impersonate itself as a third-party client and will ask 
AccessTokenValidationService to return the information relevant to the current 
access token, before setting up a security context. More on it below.</p>
 
+<h2><a shape="rect" 
name="JAX-RSOAuth2-TokenRevocationService"></a>TokenRevocationService</h2>
+
+<p><a shape="rect" class="external-link" 
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java";>TokenRevocationService</a>
 is a simple OAuth2 service supporting the clients wishing to revoke the access 
or refresh tokens they own themselves, please see <a shape="rect" 
class="external-link" 
href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09"; 
rel="nofollow">OAuth2 Token Revocation Draft</a> for more information.</p>
+
+<p>TokenRevocationService and AccessTokenService share the same code which 
enforces that the clients have been correctly authenticated.</p>
+
+<p>Note, OAuthDataProvider implementations processing a revocation request 
should simply ignore the invalid tokens as recommended by the specification 
which will let TokenRevocationService return HTTP 200 which is done to minimize 
a possible attack surface (specifically for bad clients not to see if their 
requests failed or succeeded) and throw the exceptions only if the token 
revocation feature is not currently supported.</p>
+
+
 <h2><a shape="rect" name="JAX-RSOAuth2-SupportedGrants"></a>Supported 
Grants</h2>
 
 <p>The following subsections briefly describe how the well-known grant types 
can be supported on the server side. Please also check the "Client Side 
Support" section on how to use the related <a shape="rect" 
class="external-link" 
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";>AccessTokenGrant</a>
 implementations to request the access tokens.</p>
@@ -1094,11 +1103,6 @@ For example, consider the following JAX-
 <p>When dealing with authenticating the end users, having an SSO solution in 
place is very handy. This is because the end user interacts with both the 
third-party and its resource server web applications and is also redirected 
from the client application to the resource server and back again. 
Additionally, the end user may need to authenticate with Authorization service 
if it is not collocated with the application endpoints. OpenID or say a 
WebBrowser SSO profile can help. </p>
 
 <p>CXF 2.6.1 provides an initial support for a <a shape="rect" 
href="http://cxf.apache.org/docs/saml-web-sso.html";>SAML2 SSO profile</a>. This 
will make it easier to minimize a number of sign ins to a single attempt and 
run OAuth2 Authorization servers separately from the application endpoints. </p>
-
-<h1><a shape="rect" name="JAX-RSOAuth2-WhatIsNext"></a>What Is Next</h1>
-
-<p>Fine tuning the current OAuth 2.0 implementation will be continued and the 
feedback from the implementers will be welcomed.<br clear="none">
-OAuth 2.0 grants based on SAML2 or JWT assertions, OAuth 2.0 extensions - are 
all of interest to CXF.</p>
 </div>
            </div>
            <!-- Content -->

svn commit: r864656 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html

Reply via email to