svn commit: r1000967 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html

[buildbot]

Author: buildbot
Date: Fri Nov 11 16:47:41 2016
New Revision: 1000967

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Fri Nov 11 16:47:41 
2016
@@ -118,16 +118,16 @@ Apache CXF -- JAX-RS OAuth2
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: 
OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1478515601687 {padding: 0px;}
-div.rbtoc1478515601687 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1478515601687 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1478882820758 {padding: 0px;}
+div.rbtoc1478882820758 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1478882820758 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1478515601687">
+/*]]>*/</style></p><div class="toc-macro rbtoc1478882820758">
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client 
Registration</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization 
View</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in 
Authorization Form</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSOAuth2-OOBResponse">OOB Response</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure code 
acquisition with redirect URI</a></li></ul>
-</li></ul>
+</li><li><a shape="rect" href="#JAX-RSOAuth2-FormPostResponseMode">Form Post 
Response Mode</a></li></ul>
 </li><li><a shape="rect" 
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a>
 <ul class="toc-indentation"><li><a shape="rect" 
href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-HAWK">HAWK</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-MAC">MAC</a></li><li><a shape="rect" 
href="#JAX-RSOAuth2-EncryptedTokens">Encrypted Tokens</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-JWTTokens">JWT Tokens</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-Customtokens">Custom tokens</a></li><li><a 
shape="rect" href="#JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and 
Audience</a></li></ul>
@@ -223,7 +223,7 @@ Cookie=[JSESSIONID=1c289vha0cxfe],
 <pre>GET
 
http://localhost:8080/services/social/authorize?client_id=mobileClient&amp;response_type=code
   
 </pre>
-</div></div><p>Assuming the 'mobileClient' has been registered as public one 
with no secret and the service has been set up to support such clients, the end 
user will get a chance to authorize this client the same way it can do 
confidential clients, and after this user gets back a code (delivered directly 
in the response HTML page by default) the user will enter the code securely 
into the device which will then replace it for a time-scoped access token by 
contacting AccessTokenService.</p><h4 
id="JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure code acquisition 
with redirect URI</h4><p>The following <a shape="rect" class="external-link" 
href="https://tools.ietf.org/html/draft-ietf-oauth-spop-15"; 
rel="nofollow">extension</a> is supported to help public clients with redirect 
URIs to accept the code securely.</p><p>The public (mobile) client will include 
a 'code_verifier' value when requesting the authorization code and it will be 
saved by Authorization service, with the help 
 of the registered AuthorizationCodeDataProvider into an instance of 
ServerAuthorizationCodeGrant. The client will next request a token providing 
the 'code' and 'code_challenge' - the latter will be compared by 
AuthorizationCodeGrantHandler with the original 'code_verifier'. By default, 
the 'code_challenge' is expected to be equal to the original 'code_verifier', 
but the grant handler can be registered with the custom 
org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer - CXF 
ships a DigestCodeVerifier which implements a transformation mentioned in the 
extension.</p><p>&#160;</p><h2 
id="JAX-RSOAuth2-AccessTokenService">AccessTokenService</h2><p>The role of <a 
shape="rect" class="external-link" 
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java";
 rel="nofollow">AccessTokenService</a> is to exchange a token grant for a new 
access token which will be used by t
 he client to access the end user's resources. <br clear="none"> Here is an 
example request log:</p><div class="code panel pdl" style="border-width: 
1px;"><div class="codeContent panelContent pdl">
+</div></div><p>Assuming the 'mobileClient' has been registered as public one 
with no secret and the service has been set up to support such clients, the end 
user will get a chance to authorize this client the same way it can do 
confidential clients, and after this user gets back a code (delivered directly 
in the response HTML page by default) the user will enter the code securely 
into the device which will then replace it for a time-scoped access token by 
contacting AccessTokenService.</p><h4 
id="JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure code acquisition 
with redirect URI</h4><p>The following <a shape="rect" class="external-link" 
href="https://tools.ietf.org/html/draft-ietf-oauth-spop-15"; 
rel="nofollow">extension</a> is supported to help public clients with redirect 
URIs to accept the code securely.</p><p>The public (mobile) client will include 
a 'code_verifier' value when requesting the authorization code and it will be 
saved by Authorization service, with the help 
 of the registered AuthorizationCodeDataProvider into an instance of 
ServerAuthorizationCodeGrant. The client will next request a token providing 
the 'code' and 'code_challenge' - the latter will be compared by 
AuthorizationCodeGrantHandler with the original 'code_verifier'. By default, 
the 'code_challenge' is expected to be equal to the original 'code_verifier', 
but the grant handler can be registered with the custom 
org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer - CXF 
ships a DigestCodeVerifier which implements a transformation mentioned in the 
extension.</p><h3 id="JAX-RSOAuth2-FormPostResponseMode">Form Post Response 
Mode</h3><p><a shape="rect" class="external-link" 
href="http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html"; 
rel="nofollow">Form Post Response Mode</a> has been orinially introduced for 
OpenId Connect but has been generally recomended recently as a possibly safer 
option of returning OAuth2 Authorization Service response to the cli
 ents. Starting from CXF 3.1.9, if a client sends a "response_mode=form_post" 
parameter during the original redirect, CXF AuthorizationCodeService will 
return &#160;<a shape="rect" class="external-link" 
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java";
 rel="nofollow">OOBAuthorizationResponse</a> with its 'redirectUri' property 
set - a JSP/etc handler will convert to an HTML form which will re-post the 
data to the client callback address.</p><h2 
id="JAX-RSOAuth2-AccessTokenService">AccessTokenService</h2><p>The role of <a 
shape="rect" class="external-link" 
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java";
 rel="nofollow">AccessTokenService</a> is to exchange a token grant for a new 
access token which will be used by the client to access the end user's reso
 urces. <br clear="none"> Here is an example request log:</p><div class="code 
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" 
style="font-size:12px;">Address: http://localhost:8080/services/oauth/token
 Http-Method: POST