Hi Matteo

I've copied those log statements while working with a demo shipped with my company's distribution (you can see a link to that demo if you check 'CXF OAuth2' in Google).

In that demo, a custom security filter is protecting the demo OAuth2 web client, it checks if "Authorization: Basic" is there, if not then it will challenge a user and it is managed by the browser, so the first time the user accesses a web client it is asked by the browser to authenticate, and then after the user is redirected to OAuth2 and then back to the client, the browser is remembering the user authenticating and sets this header itself.

In many cases one would really need to have some SSO in place, so that a user does not have to sign in into the web client(s) and OAuth2 server separately. The demo also shows one option, SAML Web SSO with Shibboleth. We also have 2 demos shipped with CXF, basic_oidc and big_query, which show OpenIdConnect RP in action.

HTH, Sergey

On 10/03/16 14:05, matteo wrote:
I'm trying to figure out how to deal with resource owner login procedure in
CXF OAuth2 implementation. In the docs
(http://cxf.apache.org/docs/jax-rs-oauth2.html) it is stated that

/The client application asks the current user (the browser) to go to a new
address provided by the Location header and the follow-up request to
AuthorizationCodeGrantService will look like this:
/


/Note that the end user needs to authenticate./

Could you please explain how to deal with resource ownser login in order to
provide the required

header? What kind of cxf handler (if any) should be registered? Is it
possible to serve a custom login form in case the
AuthorizationCodeGrantService detects that the Authorization header is
missing?

Many thanks.

matteo



-----
matteo
--
View this message in context: 
http://cxf.547215.n5.nabble.com/How-to-manage-resource-owner-login-in-CXF-tp5766808.html
Sent from the cxf-user mailing list archive at Nabble.com.



--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Reply via email to