Hi Matthew, I use the OAuth2 extension a while ago but I had to integrate the with OpenAM[1] and I found it difficult to extend to my need. I made my own extension[2] and I hope one time this can be the part of the official Restlet extensions.
Back to you question you want to use a custom Form based resource owner authentication then you need to make your own authentication filter. Rest is a state-less implementation and the Form based authentication requires some state-session information which you can use when the user-agent accesses to the authorization end-point. You can write a Form Authenticator and Session Manager [3] like I use or you write your own. First Request: User-Agent access to /authorize endpoint. The Restlet Authentication filter can not authenticate the user then it show a login-form. Second Request: User-Agent submits the username/password and the Restlet Authentication filter authenticates the user and allow to display the OAuth2 authorization page. Third Request: User-Agent submits the decesion but the Restlet Authentication filter can not authenticate the user unless some session information is available. I guess you see the problem why it work with Basic authentication where the credential are alway included into the Request header. I hope I could help you to get further with your implementation. See my example[2] if you want to see more. Regards, Laszlo [1] http://openam.forgerock.org [2] https://svn.forgerock.org/openam/branches/oauth2-branch/opensso/extensions/oauth2/ [3] https://svn.forgerock.org/openam/branches/oauth2-branch/opensso/extensions/oauth2/org.forgerock.restlet.ext.openam/src/main/java/org/forgerock/restlet/ext/openam/server/OpenAMServletAuthenticator.java ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2956130
