Hi
I had to update OAuthDataProvider interface and add two methods for
listing the access and refresh tokens associated with a given OAuth2
client. Also, AuthorizationCodeDataProvider which extends
OAuthDataProvider has a new method for listing the pending code grants
associated with a given Client, so we have
List<ServerAccessToken> getAccessTokens(Client)
List<RefreshToken> getRefreshTokens(Client)
and
List<ServerAuthorizationCode> getCodeGrants(Client)
The reason I've done it is that it has become obvious OAuthDataProvider
interface supports managing the existing tokens/grants in a very limited
way. It is really important from a management point of view to show all
the access and/or tokens associated with a given client or user.
I could've introduced new interfaces and made only the utility
(AbstractOAuthDataProvider) provider shipped with CXF implement them but
I did not because:
- I felt like that it would add an extra 'noise' into an already complex
OAuth2 runtime/API - after all, listing the existing tokens is quite a
fundamental thing which would not be a new 'challenge' for the existing
provider implementations - they store the tokens, can extract them by
their ids, so obviously they can get them listed too
I had to do it for 3.1.5-SNAPSHOT because the OIDC module we do in Fediz
does depend on 3.1.5-SNAPSHOT and we can not wait till 3.2.0 gets
released (which is quite far away at this point of time).
Hope those who are working with CXF 3.1.4 and doing some custom OAuth2
servers will not find it difficult to migrate. However if someone thinks
it can pose some problems for their productions (and this is why I send
this mail to users) then I can revisit the idea of getting the above
methods added to dedicated interfaces. Let me know in this thread or
contact me privately if you prefer
FYI, besides the above changes I've deprecated
OAuthDataProvider.removeAccessToken but will remove it only in
3.2.0-SNAPSHOT (master). The reason being is that OAuthDataProvider also
has a revokeToken accepting a token hint which is part of the standard
oAuth2 token revocation API.
Removing OAuthDataProvider.removeAccessToken will make this interface a
bit more minimalistic
Thanks Sergey
