On 23/02/16 10:27, Sergey Beryozkin wrote:
Hi
On 23/02/16 07:24, Rajan1311 wrote:
Hi Sergey,
I think I have understood what you mean, so the JWT has nothing to do
with
the OAuth flows.
I did not quite imply that JWT was not related to OAuth flows, rather I
said the JWTAuthenticationFilter you were thinking of using was not
related.
Or to be more precise, it can be used as a filter for authenticating the
OAuth2 clients but only when these clients use JWT for a pure
authentication when accessing OAuth2 AccessTokenService, example, when
using a client credentials or authorization code grant...
Sergey
In my case though, when a client server needs access to my API, he
does so
with the access token obtained via the client credentials grant. Each
token
(default bearer type) has registered scopes which govern the parts of the
API the client can access. According to the documentation, its the
OAuthRequestFilter and OAuthScopesFilter that make this restriction
happen.
I am using the @Scopes annotation my controllers.
Sure, you might also want to consider using OAuthRequestFilter only with
the requiredScopes property set, unless you'd like to enforce the scopes
declaratively on per-method level
Now, the Client can also make requests with a JWT(issued by the client's
server). The client signs the JWT with their client secret and sends
me (API
server) the JWT along with the client id (so that I can verify it with
the
corresponding secret). The JWT claims has a list of scopes along with
some
other identification info.
This is where I need some sort of convergence between the 2 flows. Once I
have the scopes, I want to process them in such a way that I use the
scopes
in the access token (via client credentials).
So, for this to happen, I think I would need some sort of modification
in my
OAuthRequestFilter, which would also accept JWT tokens, validate them and
extract the scopes. Then, it should work seamlessly work with the
OAuthScopesFilter.
I hope you understood what I mean. I am very new to this, so would be
great
if you could just point me in the right direction. I am thinking of
implementing a custom Filter to replace the OAuthRequestFilter, but I
am not
too sure on how to proceed.
Hmm, well, the client gets the access token from OAuth2 Access Token
Service, and then the client uses this token to access some users' API
server.
But what you are describing is that the client creates a JWT token
itself (may be it gets this token from STS such as CXF STS that can
issue JWT assertions), sets a client id on it and then wants to use it
as an access token ?
if so then I don't think it is possible, all the client has is a set of
JWT claims representing the fact of the successful client authentication
with STS/etc, and by adding a client id to such claims does not turn
them into an access token, but the client can use them to claim a new
access token and then use it.
Cheers, Sergey
Thanks and Regards,
Rajan
--
View this message in context:
http://cxf.547215.n5.nabble.com/Support-both-Bearer-and-JWT-tokens-tp5766050p5766172.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
