Author: buildbot
Date: Fri Aug 26 12:47:41 2016
New Revision: 995960
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
websites/production/cxf/content/docs/jax-rs-oidc.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Fri Aug 26 12:47:41
2016
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS:
OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1470660420927 {padding: 0px;}
-div.rbtoc1470660420927 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1470660420927 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1472215618386 {padding: 0px;}
+div.rbtoc1472215618386 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1472215618386 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1470660420927">
+/*]]>*/</style></p><div class="toc-macro rbtoc1472215618386">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client
Registration</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization
View</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in
Authorization Form</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
@@ -134,7 +134,7 @@ div.rbtoc1470660420927 li {margin-left:
</li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</a></li></ul>
</li><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidationService">Access Token Validation
Service</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidatorService">AccessTokenValidatorService</a></li><li><a
shape="rect"
href="#JAX-RSOAuth2-TokenIntrospectionService">TokenIntrospectionService</a></li></ul>
-</li><li><a shape="rect"
href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a>
+</li><li><a shape="rect"
href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a
shape="rect"
href="#JAX-RSOAuth2-DynamicRegistrationService">DynamicRegistrationService</a></li><li><a
shape="rect"
href="#JAX-RSOAuth2-AuthorizationMetadataService">AuthorizationMetadataService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource
Owner Password Credentials</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-SAMLandJWTAssertions">SAML and JWT
Assertions</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom
Grants</a></li></ul>
</li><li><a shape="rect"
href="#JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow
Filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse
Filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access
tokens</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-DefaultProviders">Default Providers</a></li></ul>
@@ -152,7 +152,7 @@ div.rbtoc1470660420927 li {margin-left:
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
different access points to end users and clients</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign
On</a></li></ul>
</li></ul>
-</div><h1 id="JAX-RSOAuth2-Introduction">Introduction</h1><p>New:</p><ul
style="list-style-type: square;"><li>OAuth2 module now depends on CXF
cxf-rt-rs-security-jose module with the utility code in place to support a
number of OAuth2 features depending on JOSE <br clear="none"><br
clear="none"></li></ul><p>CXF provides the implementation of <a shape="rect"
class="external-link" href="http://tools.ietf.org/html/rfc6749";
rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect"
href="jax-rs-oauth.html">JAX-RS OAuth</a> page for information about OAuth
1.0.</p><p>Authorization Code, Implicit, Client Credentials, Resource Owner
Password Credentials, Refresh Token, SAML2 Assertions and JWT assertion grants
are currently supported.</p><p>Custom grant handlers can be
registered.</p><p>OAuth2 is a new protocol which offers a complex yet elegant
solution toward helping end users (resource owners) authorize third-party
providers to access their resources.</p><p>The OAuth2 flow which is clos
ely related to the original OAuth 1.0 3-leg flow is called Authorization Code
and involves 3 parties: the end user, the third party service (client) and the
resource server which is protected by OAuth2 filters. Typically a client offers
a service feature that an end user requests and which requires the former to
access one or more protected resources on behalf of this user which are located
at the resource server. For example, the client may need to access the end
user's photos in order to print them and post to the user or read and possibly
update a user's calendar in order to make a booking.</p><p>In order to make it
happen, the third-party service application/client needs to register itself
with the OAuth2 server. This happens out-of-band and after the registration the
client gets back a client key and secret pair. Typically the client is expected
to provide the name and description of the application, the application logo
URI, one or more redirect URIs, and other information tha
t may help the OAuth2 authorization server to identify this client to the end
user at the authorization time.</p><p>From then on, the authorization code flow
works like this:<br clear="none"> 1. End User requests the third-party service
using a browser.</p><p>2. The client redirects the end user to OAuth2
Authorization Service, adding its client id, the state, redirect URI and the
optional scope to the target URI. The state parameter represents the current
end user's request, redirect URI - where the authorization code is expected to
be returned to, and the scope is the list of opaque permissions that the client
needs in order to access the protected resources.</p><p>3. Authorization
Service will retrieve the information about the client using its client id,
build an HTML form and return it to the end user. The form will ask the user if
a given third-party application can be allowed to access some resources on
behalf of this user.</p><p>4. If the user approves it then Authorization
Service will generate an authorization code and redirect the user back to the
redirect uri provided by the client, also adding a state parameter to the
redirect URI.</p><p>5. The client requests an access token from OAuth2 Access
Token Service by providing an authorization code grant.</p><p>6. After getting
an access token token, the service finally proceeds with accessing the current
user's resources and completes the user's request.</p><p>As you can see the
flow can be complex yet it is very effective. A number of issues may need to be
taken care along the way such as managing expired tokens, making sure that the
OAuth2 security layer is functioning properly and is not interfering with the
end user itself trying to access its own resources, etc.</p><p>Please check the
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc6749"; rel="nofollow">specification</a> as
well as other resources available on the WEB for more information you may need
to know about OAuth2
.</p><p>CXF JAX-RS gives the best effort to making this process as simple as
possible and requiring only a minimum effort on behalf of OAuth2 server
developers. It also offers the utility code for greatly simplifying the way the
third-party application can interact with the OAuth2 service endpoints.</p><h1
id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div><h1 id="JAX-RSOAuth2-Introduction">Introduction</h1><p>New:</p><ul
style="list-style-type: square;"><li>Ehcache and JCache OAuthDataProviders can
represent access tokens in JWT <br clear="none"><br
clear="none"></li></ul><p>CXF provides the implementation of <a shape="rect"
class="external-link" href="http://tools.ietf.org/html/rfc6749";
rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect"
href="jax-rs-oauth.html">JAX-RS OAuth</a> page for information about OAuth
1.0.</p><p>Authorization Code, Implicit, Client Credentials, Resource Owner
Password Credentials, Refresh Token, SAML2 Assertions and JWT assertion grants
are currently supported.</p><p>Custom grant handlers can be
registered.</p><p>OAuth2 is a new protocol which offers a complex yet elegant
solution toward helping end users (resource owners) authorize third-party
providers to access their resources.</p><p>The OAuth2 flow which is closely
related to the original OAuth 1.0 3-leg flow is called Authorization Code a
nd involves 3 parties: the end user, the third party service (client) and the
resource server which is protected by OAuth2 filters. Typically a client offers
a service feature that an end user requests and which requires the former to
access one or more protected resources on behalf of this user which are located
at the resource server. For example, the client may need to access the end
user's photos in order to print them and post to the user or read and possibly
update a user's calendar in order to make a booking.</p><p>In order to make it
happen, the third-party service application/client needs to register itself
with the OAuth2 server. This happens out-of-band and after the registration the
client gets back a client key and secret pair. Typically the client is expected
to provide the name and description of the application, the application logo
URI, one or more redirect URIs, and other information that may help the OAuth2
authorization server to identify this client to the end u
ser at the authorization time.</p><p>From then on, the authorization code flow
works like this:<br clear="none"> 1. End User requests the third-party service
using a browser.</p><p>2. The client redirects the end user to OAuth2
Authorization Service, adding its client id, the state, redirect URI and the
optional scope to the target URI. The state parameter represents the current
end user's request, redirect URI - where the authorization code is expected to
be returned to, and the scope is the list of opaque permissions that the client
needs in order to access the protected resources.</p><p>3. Authorization
Service will retrieve the information about the client using its client id,
build an HTML form and return it to the end user. The form will ask the user if
a given third-party application can be allowed to access some resources on
behalf of this user.</p><p>4. If the user approves it then Authorization
Service will generate an authorization code and redirect the user back to the r
edirect uri provided by the client, also adding a state parameter to the
redirect URI.</p><p>5. The client requests an access token from OAuth2 Access
Token Service by providing an authorization code grant.</p><p>6. After getting
an access token token, the service finally proceeds with accessing the current
user's resources and completes the user's request.</p><p>As you can see the
flow can be complex yet it is very effective. A number of issues may need to be
taken care along the way such as managing expired tokens, making sure that the
OAuth2 security layer is functioning properly and is not interfering with the
end user itself trying to access its own resources, etc.</p><p>Please check the
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc6749"; rel="nofollow">specification</a> as
well as other resources available on the WEB for more information you may need
to know about OAuth2.</p><p>CXF JAX-RS gives the best effort to making this
process as simple as po
ssible and requiring only a minimum effort on behalf of OAuth2 server
developers. It also offers the utility code for greatly simplifying the way the
third-party application can interact with the OAuth2 service endpoints.</p><h1
id="JAX-RSOAuth2-Mavendependencies">Maven dependencies</h1><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-oauth2</artifactId>
@@ -348,7 +348,7 @@ Authorization: MAC id="5b5c8e677413277c4
mac="W7bdMZbv9UWOTadASIQHagZyirA="
ts="12345678"
</pre>
-</div></div><p>where 'ts' attribute is used to pass a timestamp value.</p><h4
id="JAX-RSOAuth2-EncryptedTokens">Encrypted Tokens</h4><p>Typically, the tokens
are persisted in the storage. The alternative approach is to completely encrypt
the token state and return the encrypted representation back to a client: the
processing time to do with the encryption and decryption might increase but the
server wins on avoiding the DB / storage lookups.    </p><p>CXF
3.0.0-milestone2 introduces the utility support for encrypting the state of
BearerAccessToken and RefreshToken.</p><p>The tokens can be encrypted and
decrypted with symmetric (secret) keys or certificates (public and private
keys) and the combination of certificates and secret keys.</p><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java";
rel="nofollow">ModelE
ncryptionSupport</a> can be used to encrypt the tokens using the custom
serialization format.</p><p>Note that ServerAuthorizationGrant and Client can
also be encrypted.</p><p> </p><p>The simplest strategy is to encrypt and
decrypt the tokens with the symmetric/secret keys. Every new token can be
encrypted with a unique secret key or all of them can be encrypted with a
single secret key. The utilities provide few methods for creating secret keys
with the default and advanced properties, in addition there are many examples
around on how to create the keys with the specific properties.</p><p>For
example, see
org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider
and org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider
which are shipped starting from CXF 3.0.2.</p><p>Here is a typical code
demonstrating how the encryption/decryption works:</p><p> </p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeCo
ntent panelContent pdl">
+</div></div><p>where 'ts' attribute is used to pass a timestamp value.</p><h4
id="JAX-RSOAuth2-EncryptedTokens">Encrypted
Tokens</h4><p><strong>Note</strong>: consider using <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWEEncryption";>JWE
Encryption</a> with JWT access tokens (see next section).</p><p>Typically, the
tokens are persisted in the storage. The alternative approach is to completely
encrypt the token state and return the encrypted representation back to a
client: the processing time to do with the encryption and decryption might
increase but the server wins on avoiding the DB / storage lookups.  
 </p><p>CXF 3.0.0-milestone2 introduces the utility support for encrypting
the state of BearerAccessToken and RefreshToken.</p><p>The tokens can be
encrypted and decrypted with symmetric (secret) keys or certificates (public
and private keys) and the combination of certificates and secret keys.</p><p><a
shape="rect" class="external-li
nk"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java";
rel="nofollow">ModelEncryptionSupport</a> can be used to encrypt the tokens
using the custom serialization format.</p><p>Note that ServerAuthorizationGrant
and Client can also be encrypted.</p><p> </p><p>The simplest strategy is
to encrypt and decrypt the tokens with the symmetric/secret keys. Every new
token can be encrypted with a unique secret key or all of them can be encrypted
with a single secret key. The utilities provide few methods for creating secret
keys with the default and advanced properties, in addition there are many
examples around on how to create the keys with the specific
properties.</p><p>For example, see
org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider
and org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider
which are ship
ped starting from CXF 3.0.2.</p><p>Here is a typical code demonstrating how
the encryption/decryption works:</p><p> </p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">SecretKey key = CryptoUtils.getSecretKey();
// create a new token, encrypt its state and return
@@ -364,7 +364,45 @@ return token;
// decrypt a token given a token key
ModelEncryptionSupport.decryptAccessToken(this, encryptedToken, key);</pre>
-</div></div><pre> </pre><h4 id="JAX-RSOAuth2-JWTTokens">JWT
Tokens</h4><p>JWT Token can be JWE-encrypted and the encrypted string passed to
ServerAccessToken as access token id parameter.</p><p>See <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html";>JAX-RS JOSE</a> wiki page
for more information on how to sign and encrypt JSON Web Tokens.</p><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java";
rel="nofollow">JwtAccessTokenUtils </a>provides utility method for encrypting
and decrypting an access token represented as JWT.</p><p>Note more support for
JWT access tokens is on the way.</p><h4 id="JAX-RSOAuth2-Customtokens">Custom
tokens</h4><p>If needed, users can use their own custom token types, with the
only restriction that the custom token type implementations have to extend
org.apache.cxf.rs.security.oauth2.co
mmon.ServerAccessToken.</p><h4
id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and
Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00";
rel="nofollow">audience</a> parameter is supported during the client token
requests.</p><h3
id="JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</h3><p>org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider
is a JAX-RS MessageBodyWriter which supports returning ClientAccessToken and
OAuthError representations to the client in a JSON format required by OAuth2
spec. It is also a JAX-RS MessageBodyReader that is used by client
OAuthClientUtils (see below) to read the responses from
AccessTokenService.</p><p>Register it as a provider with a JAXRS
AccessTokenService endpoint.</p><p>Alternatively, if you prefer, a custom
MessageBodyWriter implementation can be registered instead.</p><h2
id="JAX-RSOAuth2-AccessTokenValidationService">Access Token
Validation Service</h2><h3
id="JAX-RSOAuth2-AccessTokenValidatorService">AccessTokenValidatorService</h3><p>The
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java";
rel="nofollow">AccessTokenValidatorService</a> is a CXF specific OAuth2
service for accepting the remote access token validation requests.
OAuthRequestFilter needs to be injected with <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java";
rel="nofollow">AccessTokenValidatorClient</a> which will ask
AccessTokenValidatorService to return the information relevant to the current
access token, before setting up a security context.</p><h3
id="JAX-RSOAuth2-TokenIntrospectionService">TokenIntrospectionService</h3><p>The
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java";
rel="nofollow">TokenIntrospectionService</a> is a standard OAuth2 service for
accepting the remote access token introspection requests. See <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7662";
rel="nofollow">RFC 7662</a>. OAuthRequestFilter needs to be injected with <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java";
rel="nofollow">AccessTokenIntrospectionClient.</a></p><h2
id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cx
f/rs/security/oauth2/services/TokenRevocationService.java"
rel="nofollow">TokenRevocationService</a> is a simple OAuth2 service supporting
the clients wishing to revoke the access or refresh tokens they own themselves,
please see <a shape="rect" class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09";
rel="nofollow">OAuth2 Token Revocation Draft</a> for more
information.</p><p>TokenRevocationService and AccessTokenService share the same
code which enforces that the clients have been correctly
authenticated.</p><p>Note, OAuthDataProvider implementations processing a
revocation request should simply ignore the invalid tokens as recommended by
the specification which will let TokenRevocationService return HTTP 200 which
is done to minimize a possible attack surface (specifically for bad clients not
to see if their requests failed or succeeded) and throw the exceptions only if
the token revocation feature is not currently supported.</p><h2
id="JAX-RSOAuth2-
SupportedGrants">Supported Grants</h2><p>The following subsections briefly
describe how the well-known grant types can be supported on the server side.
Please also check the "Client Side Support" section on how to use the related
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";
rel="nofollow">AccessTokenGrant</a> implementations to request the access
tokens.</p><h3 id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As
described above, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java";
rel="nofollow">AuthorizationCodeGrantService</a> service and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/s
rc/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java"
rel="nofollow">AuthorizationCodeDataProvider</a> data provider can support a
redirection-based Authorization Code flow.</p><p>The code that the client
receives in the end of the redirection process will need to be exchanged for a
new access token with AccessTokenService. CXF-based clients can use a helper <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java";>AuthorizationCodeGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same
way Authorization Code grant is except that no code is created, a token is
issued immediately and returned to the client running within a web
browser.</p><p><a shape="rect" class="external-link" href="https://gith
ub.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java"
rel="nofollow">ImplicitGrantService</a> service asks <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";
rel="nofollow">OAuthDataProvider</a> data provider to issue a new token after
a user has approved it.</p><p>Note the only difference is the use of
ImplicitGrantService instead of AuthorizationCodeGrantService.</p><p>Also note
that when an Implicit grant client (running within a browser) replaces the code
grant for a new access token and tries to access the end user's resource, Cross
Origin Resource Sharing (CORS) support will most likely need to be enabled on
the end user's resource server.<br clear="none"> The simplest approach is to
register a CXF <a shape="rect" href="http://cxf.apac
he.org/docs/jax-rs-cors.html">CORS filter</a>, right before OAuth2 filter (see
on it below).</p><p>Starting from CXF 2.7.5 it is possible to request
ImplicitGrantService to return a registered Client id to the browser-hosted
client. This is recommended so that the client can verify that the token is
meant to be delivered to this client.</p><h3
id="JAX-RSOAuth2-ClientCredentials">Client Credentials</h3><p>Register <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java";
rel="nofollow">ClientCredentialsGrantHandler</a> handler with
AccessTokenService for this grant be supported.</p><p>CXF-based clients can use
a helper <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGr
ant.java" rel="nofollow">ClientCredentialsGrant</a> bean to request a new
access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password
Credentials</h3><p>Register <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java";
rel="nofollow">ResourceOwnerGrantHandler</a> handler with AccessTokenService
for this grant be supported.</p><p>CXF-based clients can use a helper <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java";>ResourceOwnerGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The client can issue a
refresh token grant if the current access toke
n it owns has expired or been revoked and the refresh token was issued
alongside with the access token which is now invalid and get the new,
'refreshed' access token. This can allow the client to avoid seeking a new
authorization approval from the end user.</p><p>Register <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java";>RefreshTokenGrantHandler</a>
handler with AccessTokenService for this grant be supported. Note this grant
handler is only useful for refreshing the existing access token, so one or more
of the other grant handlers (Authorization Code, Implicit, etc) will also have
to be registered with AccessTokenService.</p><p>CXF-based clients can use a
helper <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security
/oauth2/grants/owner/ResourceOwnerGrant.java"
rel="nofollow">RefreshTokenGrant</a> bean to request a new access token with
OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-SAMLandJWTAssertions">SAML and JWT
Assertions</h3><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7522"; rel="nofollow">SAML2 assertions</a>
and <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7523"; rel="nofollow">JWT assertions</a>
can be used as token grants.</p><p>JWT assertion grants are supported in <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt";
rel="nofollow">this package</a>. <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java";
rel="nofollow">JwtBearerAuthHandler</a> can be us
ed as a generic client authentication filter (where the client authenticated
with JWT token as opposed to with a username:password pair, etc).</p><p>Please
also see <a shape="rect" href="jaxrs-oauth2-assertions.html">JAXRS OAuth2
Assertions</a> section for more information.</p><p> </p><h3
id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If you need to customize
the way the well-known grant requests are handled then consider extending one
of the grant handlers listed in the previous sub-sections.</p><p>Alternatively
create a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java";
rel="nofollow">AccessTokenGrantHandler</a> and register it with
AccessTokenService. Additionally, consider providing a related <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-paren
t/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java"
rel="nofollow">AccessTokenGrant</a> implementation for making it easy for the
client code to request a new access token with this custom grant.</p><h2
id="JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow Filters</h2><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationRequestFilter.java";
rel="nofollow">AuthorizationRequestFilter</a> implementations can be
registered with AuthorizationCodeGrantService or ImplicitGrantService in order
to pre-process code requests. For example, <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java";
rel="nofollow">JwtRequestCodeFilter</a> can be used to process JWS-signed or
JWE-encrypted code requests.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java";
rel="nofollow">AuthorizationCodeResponseFilter</a> implementations can be
registered with AuthorizationCodeService in order to post-process code
responses.</p><h2
id="JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse
Filters</h2><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java";
rel="nofollow">AccessTokenResponseFilter</a> implementations can be registered
with AccessTokenService in order to post-process access token responses. For
example,  OIDC IdToken can be added to a response with a <a shape="rect"
class="external-link" href="https://github.com/apache/cxf/
blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java"
rel="nofollow">IdTokenResponseFilter</a>.</p><h2
id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access
tokens</h2><p>When working with the flows which require the end users/resource
owners explicitly authorizing clients (for example, as in the case of
redirection-based flows), using pre-authorized access tokens is one option to
minimize the need for the end-user intervention. <br clear="none">
OAuthDataProvider is always checked first if the pre-authorized access token
for a given Client exists and if yes then it will be returned immediately,
without starting the authorization process involving the end user (as required
by some flows).</p><p>Consider providing a user interface which will let the
end users/resource owners to pre-authorize specific clients early. Note, a CXF
service for supporting the users pre-authorizing the clients or revoking the
tokens for
some of the clients may be introduced in the future.</p><p>Also note that
using a refresh token grant may further help with minimizing the end user
involvement, in cases when the current access token has expired.</p><h2
id="JAX-RSOAuth2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can
register custom scopes they will be expected to use and then avoid specifying
the scopes when requesting the code grants or access tokens.<br clear="none">
Alternatively it makes it easier to support so called wild-card scopes. For
example, a client pre-registers a scope "update" and actually uses an
"update-7" scope: Redirection-based services and access token grants can be
configured to do a partial scope match, in this case, validate that "update-7"
starts from "update"</p><h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a
lot with setting up an OAuth server. As you can see from the above sections,
these s
ervices rely on a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";
rel="nofollow">OAuthDataProvider</a> implementation.</p><p>The main task of <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";
rel="nofollow">OAuthDataProvider</a> is to persist and generate access tokens.
Additionally, as noted above, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";
rel="nofollow">AuthorizationCodeDataProvider</a> needs to persist and remove
the code grant registrations. The way it's done is really application-specific.
Consider
starting with a basic memory based implementation and then move on to keeping
the data in some DB.</p><p>Finally OAuthDataProvider may need to convert opaque
scope values such as "readCalendar" into a list of <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java";
rel="nofollow">OAuthPermission</a>s. AuthorizationCodeGrantService and OAuth2
security filters will depend on it (assuming scopes are used in the first
place). </p><h3 id="JAX-RSOAuth2-DefaultProviders">Default
Providers</h3><p>CXF 3.1.7 ships JPA2 (<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java";
rel="nofollow">JPAOAuthDataProvider</a> and <a shape="rect"
class="external-link" href="https://github.com/apache/cxf/blob/master/
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java"
rel="nofollow">JPACodeDataProvider</a>), Ehcache (<a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java";
rel="nofollow">DefaultEHCacheOAuthDataProvider</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java";
rel="nofollow">DefaultEHCacheCodeDataProvider</a>) and JCache (<a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java";
rel="nofollow">JCacheOAuthDataProvider</a> and <a shape="rect" cla
ss="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java";
rel="nofollow">JCacheCodeDataProvider</a>) provider implementations which take
care of all the persistence tasks: saving or removing registered clients,
tokens and code grants. These providers can be easily customized.</p><p>Custom
implementations can also extend  <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java";
rel="nofollow">AbstractOAuthDataProvider</a> or <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java";
rel="nofollow">AbstractCodeDataProvider</a>  and only impleme
nt their abstract persistence related methods or further customize some of
their code.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server
JAX-RS endpoints</h2><p>With CXF offering OAuth service implementations and a
custom OAuthDataProvider provider in place, it is time to deploy the OAuth2
server. <br clear="none"> Most likely, you'd want to deploy AccessTokenService
as an independent JAX-RS endpoint, for example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><pre> </pre><h4 id="JAX-RSOAuth2-JWTTokens">JWT
Tokens</h4><p>Starting from CXF 3.1.8 some of CXF OAuthDataProvider
implementations (EhCache and JCache based) support Access Token representations
in JWT. This means that ServerAccessTokens created by data providers are
converted to a sequence of JSON JWT claims and then JWS signed and/or JWE
encrypted.</p><p>Custom data providers can extend <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java";
rel="nofollow">AbstractOAuthDataProvider</a> to depend on the code which
converts ServerAccessTokens to JWT and use <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java";
rel="nofollow">JwtTokenUtils</a> to convert JOSE token representat
ions back to ServerAccessToken.</p><p>For example, here is how one can
configure an Ehcache or JCache based provider to use JWT:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><bean id="oauthProvider"
class="org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuthDataProviderImpl">
+ <property name="useJwtFormatForAccessTokens" value="true"/>
+</bean></pre>
+</div></div><p> </p><p>Additionally, in order to sign and/or encrypt,
this provider can be injected with an instance of <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJoseJwtProducer.java";
rel="nofollow">OAuthJoseJwtProducer</a> or AccessTokenService endpoint where
this provider is registered can be configured as follows:</p><p> </p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><jaxrs:server id="oauthServer1"
address="https://localhost:${testutil.ports.jaxrs-oauth2-serviceJwt}/services">
+ <jaxrs:serviceBeans>
+   <ref bean="tokenService"/>
+</jaxrs:serviceBeans><!-- Sign -->
+<jaxrs:properties>
+ <entry key="rs.security.signature.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+ <entry key="rs.security.signature.key.password.provider"
value-ref="keyPasswordProvider"/>
+ </jaxrs:properties>
+ </jaxrs:server></pre>
+</div></div><p> </p><p>Note that Ehcache and JCache providers will still
persist the complete ServerAccessToken representations - once JOSE sequence is
created it becomes a new tokenId of the current ServerAccessToken, with the
original tokenId becoming a JWT 'jti' claim.</p><p>One can configure the
providers to persist access tokens only as these newly created JOSE
sequences:</p><p> </p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><bean id="oauthProvider"
class="org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuthDataProviderImpl">
+ <property name="useJwtFormatForAccessTokens" value="true"/>
+ <property name="storeJwtTokenKeyOnly" value="true"/>
+</bean></pre>
+</div></div><p>Only a JOSE sequence representing a given ServerAccessToken
will be persisted. The providers will recreate ServerAccessToken from this
sequence when the token is needed by the runtime.</p><p> </p><p>Resource
server (RS) will need to make a decision how to validate this JWT token. It can
continue validating it remotely with AccessTokenValidationService or
TokenIntrsopectionService (see below for more info about these services) or if
RS has an access to the keys used to sign/encrypt JWT then it can use a local
JWT validation, example:</p><p> </p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><bean id="jwtTokenValidator"
class="org.apache.cxf.rs.security.oauth2.filters.JwtAccessTokenValidator"/>
+<bean id="oAuthFilterLocalValidation"
class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
+ <property name="tokenValidator" ref="jwtTokenValidator"/>
+</bean>
+
+<jaxrs:server
+ depends-on="tls-config"
+
address="https://localhost:${testutil.ports.jaxrs-oauth2-filtersJwt}/securedLocalValidation">
+ <jaxrs:serviceBeans>
+ <ref bean="serviceBean"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:providers>
+ <ref bean="oAuthFilterLocalValidation"/>
+ </jaxrs:providers>
+ <jaxrs:properties>
+ <entry key="rs.security.signature.in.properties"
value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+ </jaxrs:properties>
+</jaxrs:server></pre>
+</div></div><p> </p><p>When to use JWT ? The pros are: might be easier to
align with some newer OAuth2 related specifications, might be possible to avoid
a remote validation call, possible OAuth2 server storage optimization. Cons:
the extra cost of validating (or decrypting), access token value reported to
and used by clients becomes larger. If JWS only is used - care should be taken
to avoid putting some sensitive JWT claims given that JWS payload can be
introspected.</p><p> </p><p>See <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-jose.html";>JAX-RS JOSE</a> wiki page
for more information on how to sign and encrypt JSON Web
Tokens.</p><p> </p><h4 id="JAX-RSOAuth2-Customtokens">Custom
tokens</h4><p>If needed, users can use their own custom token types, with the
only restriction that the custom token type implementations have to extend
org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.</p><h4
id="JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and
Audience</h4><p>Starting from CXF 2.7.7 an <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00";
rel="nofollow">audience</a> parameter is supported during the client token
requests.</p><h3
id="JAX-RSOAuth2-OAuthJSONProvider">OAuthJSONProvider</h3><p>org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider
is a JAX-RS MessageBodyWriter which supports returning ClientAccessToken and
OAuthError representations to the client in a JSON format required by OAuth2
spec. It is also a JAX-RS MessageBodyReader that is used by client
OAuthClientUtils (see below) to read the responses from
AccessTokenService.</p><p>Register it as a provider with a JAXRS
AccessTokenService endpoint.</p><p>Alternatively, if you prefer, a custom
MessageBodyWriter implementation can be registered instead.</p><h2
id="JAX-RSOAuth2-AccessTokenValidationService">Access Token Validation
Service</h2><h3 id="JAX-RSOAuth2-AccessTokenValidatorService">AccessTokenValid
atorService</h3><p>The <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java";
rel="nofollow">AccessTokenValidatorService</a> is a CXF specific OAuth2
service for accepting the remote access token validation requests.
OAuthRequestFilter needs to be injected with <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java";
rel="nofollow">AccessTokenValidatorClient</a> which will ask
AccessTokenValidatorService to return the information relevant to the current
access token, before setting up a security context.</p><h3
id="JAX-RSOAuth2-TokenIntrospectionService">TokenIntrospectionService</h3><p>The
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/
rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java"
rel="nofollow">TokenIntrospectionService</a> is a standard OAuth2 service for
accepting the remote access token introspection requests. See <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7662";
rel="nofollow">RFC 7662</a>. OAuthRequestFilter needs to be injected with <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java";
rel="nofollow">AccessTokenIntrospectionClient.</a></p><h2
id="JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</h2><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java";
rel="nofollow">TokenRevocationS
ervice</a> is a simple OAuth2 service supporting the clients wishing to revoke
the access or refresh tokens they own themselves, please see <a shape="rect"
class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09";
rel="nofollow">OAuth2 Token Revocation Draft</a> for more
information.</p><p>TokenRevocationService and AccessTokenService share the same
code which enforces that the clients have been correctly
authenticated.</p><p>Note, OAuthDataProvider implementations processing a
revocation request should simply ignore the invalid tokens as recommended by
the specification which will let TokenRevocationService return HTTP 200 which
is done to minimize a possible attack surface (specifically for bad clients not
to see if their requests failed or succeeded) and throw the exceptions only if
the token revocation feature is not currently supported.</p><h2
id="JAX-RSOAuth2-DynamicRegistrationService">DynamicRegistrationService</h2><p>This
service is currently a
work in progress and may become available in CXF 3.1.8 or CXF 3.1.9. It will
support the dynamic client <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7591"; rel="nofollow">registration</a> and
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7592";
rel="nofollow">management</a>.</p><h2
id="JAX-RSOAuth2-AuthorizationMetadataService">AuthorizationMetadataService</h2><p>This
service is currently a work in progress and may become available in CXF 3.1.8
or CXF 3.1.9. It will support OAuth2 <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/draft-ietf-oauth-discovery-04";
rel="nofollow">server configuration</a> queries at
".well-known/oauth-authorization-server".</p><h2
id="JAX-RSOAuth2-SupportedGrants">Supported Grants</h2><p>The following
subsections briefly describe how the well-known grant types can be supported on
the server side. Please also check the "Client Side Support" section on how to
use the related <a s
hape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";
rel="nofollow">AccessTokenGrant</a> implementations to request the access
tokens.</p><h3 id="JAX-RSOAuth2-AuthorizationCode">Authorization Code</h3><p>As
described above, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java";
rel="nofollow">AuthorizationCodeGrantService</a> service and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";
rel="nofollow">AuthorizationCodeDataProvider</a> data provider can support a
redirection-based Authorization Code flow.</p><p>The code that
the client receives in the end of the redirection process will need to be
exchanged for a new access token with AccessTokenService. CXF-based clients can
use a helper <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrant.java";>AuthorizationCodeGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-Implicit">Implicit</h3><p>Implicit grant is supported the same
way Authorization Code grant is except that no code is created, a token is
issued immediately and returned to the client running within a web
browser.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java";
rel="nofollow">ImplicitGrantService</a> service asks <a shape="rect"
class="external-
link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";
rel="nofollow">OAuthDataProvider</a> data provider to issue a new token after
a user has approved it.</p><p>Note the only difference is the use of
ImplicitGrantService instead of AuthorizationCodeGrantService.</p><p>Also note
that when an Implicit grant client (running within a browser) replaces the code
grant for a new access token and tries to access the end user's resource, Cross
Origin Resource Sharing (CORS) support will most likely need to be enabled on
the end user's resource server.<br clear="none"> The simplest approach is to
register a CXF <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-cors.html";>CORS filter</a>, right
before OAuth2 filter (see on it below).</p><p>Starting from CXF 2.7.5 it is
possible to request ImplicitGrantService to return a registered Client id to
the browser-hosted client. T
his is recommended so that the client can verify that the token is meant to be
delivered to this client.</p><h3 id="JAX-RSOAuth2-ClientCredentials">Client
Credentials</h3><p>Register <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java";
rel="nofollow">ClientCredentialsGrantHandler</a> handler with
AccessTokenService for this grant be supported.</p><p>CXF-based clients can use
a helper <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrant.java";
rel="nofollow">ClientCredentialsGrant</a> bean to request a new access token
with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password
Credentials</h3><p>Register <a shape="rect
" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java";
rel="nofollow">ResourceOwnerGrantHandler</a> handler with AccessTokenService
for this grant be supported.</p><p>CXF-based clients can use a helper <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java";>ResourceOwnerGrant</a>
bean to request a new access token with OAuthClientUtils.</p><h3
id="JAX-RSOAuth2-RefreshToken">Refresh Token</h3><p>The client can issue a
refresh token grant if the current access token it owns has expired or been
revoked and the refresh token was issued alongside with the access token which
is now invalid and get the new, 'refreshed' access token. This can allow the
client to avoid seeking a new authorization appr
oval from the end user.</p><p>Register <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java";>RefreshTokenGrantHandler</a>
handler with AccessTokenService for this grant be supported. Note this grant
handler is only useful for refreshing the existing access token, so one or more
of the other grant handlers (Authorization Code, Implicit, etc) will also have
to be registered with AccessTokenService.</p><p>CXF-based clients can use a
helper <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrant.java";
rel="nofollow">RefreshTokenGrant</a> bean to request a new access token with
OAuthClientUtils.</p><h3 id="JAX-RSOAuth2-SAMLandJWTAssertions">SAML and JWT
Assertions</h3><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7522";
rel="nofollow">SAML2 assertions</a> and <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7523"; rel="nofollow">JWT assertions</a>
can be used as token grants.</p><p>JWT assertion grants are supported in <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt";
rel="nofollow">this package</a>. <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java";
rel="nofollow">JwtBearerAuthHandler</a> can be used as a generic client
authentication filter (where the client authenticated with JWT token as opposed
to with a username:password pair, etc).</p><p>Please also see <a shape="rect"
href="jaxrs-oauth2-assertions.html">JAXRS OAuth2 Asse
rtions</a> section for more information.</p><p> </p><h3
id="JAX-RSOAuth2-CustomGrants">Custom Grants</h3><p>If you need to customize
the way the well-known grant requests are handled then consider extending one
of the grant handlers listed in the previous sub-sections.</p><p>Alternatively
create a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java";
rel="nofollow">AccessTokenGrantHandler</a> and register it with
AccessTokenService. Additionally, consider providing a related <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java";
rel="nofollow">AccessTokenGrant</a> implementation for making it easy for the
client code to request a new access token with this custom grant.</p>
<h2 id="JAX-RSOAuth2-RedirectionFlowFilters">Redirection Flow
Filters</h2><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationRequestFilter.java";
rel="nofollow">AuthorizationRequestFilter</a> implementations can be
registered with AuthorizationCodeGrantService or ImplicitGrantService in order
to pre-process code requests. For example, <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java";
rel="nofollow">JwtRequestCodeFilter</a> can be used to process JWS-signed or
JWE-encrypted code requests.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeRes
ponseFilter.java" rel="nofollow">AuthorizationCodeResponseFilter</a>
implementations can be registered with AuthorizationCodeService in order to
post-process code responses.</p><h2
id="JAX-RSOAuth2-AccessTokenResponseFilters">AccessTokenResponse
Filters</h2><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java";
rel="nofollow">AccessTokenResponseFilter</a> implementations can be registered
with AccessTokenService in order to post-process access token responses. For
example,  OIDC IdToken can be added to a response with a <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java";
rel="nofollow">IdTokenResponseFilter</a>.</p><h2
id="JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens
</h2><p>When working with the flows which require the end users/resource
owners explicitly authorizing clients (for example, as in the case of
redirection-based flows), using pre-authorized access tokens is one option to
minimize the need for the end-user intervention. <br clear="none">
OAuthDataProvider is always checked first if the pre-authorized access token
for a given Client exists and if yes then it will be returned immediately,
without starting the authorization process involving the end user (as required
by some flows).</p><p>Consider providing a user interface which will let the
end users/resource owners to pre-authorize specific clients early. Note, a CXF
service for supporting the users pre-authorizing the clients or revoking the
tokens for some of the clients may be introduced in the future.</p><p>Also note
that using a refresh token grant may further help with minimizing the end user
involvement, in cases when the current access token has expired.</p><h2
id="JAX-RSOAut
h2-Pre-registeredscopes">Pre-registered scopes</h2><p>Clients can register
custom scopes they will be expected to use and then avoid specifying the scopes
when requesting the code grants or access tokens.<br clear="none">
Alternatively it makes it easier to support so called wild-card scopes. For
example, a client pre-registers a scope "update" and actually uses an
"update-7" scope: Redirection-based services and access token grants can be
configured to do a partial scope match, in this case, validate that "update-7"
starts from "update"</p><h2 id="JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a
lot with setting up an OAuth server. As you can see from the above sections,
these services rely on a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";
rel="no
follow">OAuthDataProvider</a> implementation.</p><p>The main task of <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";
rel="nofollow">OAuthDataProvider</a> is to persist and generate access tokens.
Additionally, as noted above, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java";
rel="nofollow">AuthorizationCodeDataProvider</a> needs to persist and remove
the code grant registrations. The way it's done is really application-specific.
Consider starting with a basic memory based implementation and then move on to
keeping the data in some DB.</p><p>Finally OAuthDataProvider may need to
convert opaque scope values such as "readCalendar" into a list of <a
shape="rect" class="ex
ternal-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java";
rel="nofollow">OAuthPermission</a>s. AuthorizationCodeGrantService and OAuth2
security filters will depend on it (assuming scopes are used in the first
place). </p><h3 id="JAX-RSOAuth2-DefaultProviders">Default
Providers</h3><p>CXF 3.1.7 ships JPA2 (<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java";
rel="nofollow">JPAOAuthDataProvider</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java";
rel="nofollow">JPACodeDataProvider</a>), Ehcache (<a shape="rect"
class="external-link" href="https://github.com/
apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java"
rel="nofollow">DefaultEHCacheOAuthDataProvider</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java";
rel="nofollow">DefaultEHCacheCodeDataProvider</a>) and JCache (<a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java";
rel="nofollow">JCacheOAuthDataProvider</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JCacheCodeDataProvider.java";
rel="nofollow">JCacheCodeDataProvider</a>)
provider implementations which take care of all the persistence tasks: saving
or removing registered clients, tokens and code grants. These providers can be
easily customized.</p><p>Custom implementations can also extend  <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java";
rel="nofollow">AbstractOAuthDataProvider</a> or <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java";
rel="nofollow">AbstractCodeDataProvider</a>  and only implement their
abstract persistence related methods or further customize some of their
code.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS
endpoints</h2><p>With CXF offering OAuth service implementations and a cust
om OAuthDataProvider provider in place, it is time to deploy the OAuth2
server. <br clear="none"> Most likely, you'd want to deploy AccessTokenService
as an independent JAX-RS endpoint, for example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><!-- implements OAuthDataProvider -->
<bean id="oauthProvider" class="oauth.manager.OAuthManager"/>
