Hi Matteo
I've copied those log statements while working with a demo shipped with
my company's distribution (you can see a link to that demo if you check
'CXF OAuth2' in Google).
In that demo, a custom security filter is protecting the demo OAuth2 web
client, it checks if "Authorization: Basic" is there, if not then it
will challenge a user and it is managed by the browser, so the first
time the user accesses a web client it is asked by the browser to
authenticate, and then after the user is redirected to OAuth2 and then
back to the client, the browser is remembering the user authenticating
and sets this header itself.
In many cases one would really need to have some SSO in place, so that a
user does not have to sign in into the web client(s) and OAuth2 server
separately. The demo also shows one option, SAML Web SSO with
Shibboleth. We also have 2 demos shipped with CXF, basic_oidc and
big_query, which show OpenIdConnect RP in action.
HTH, Sergey
On 10/03/16 14:05, matteo wrote:
I'm trying to figure out how to deal with resource owner login procedure in
CXF OAuth2 implementation. In the docs
(http://cxf.apache.org/docs/jax-rs-oauth2.html) it is stated that
/The client application asks the current user (the browser) to go to a new
address provided by the Location header and the follow-up request to
AuthorizationCodeGrantService will look like this:
/
/Note that the end user needs to authenticate./
Could you please explain how to deal with resource ownser login in order to
provide the required
header? What kind of cxf handler (if any) should be registered? Is it
possible to serve a custom login form in case the
AuthorizationCodeGrantService detects that the Authorization header is
missing?
Many thanks.
matteo
-----
matteo
--
View this message in context:
http://cxf.547215.n5.nabble.com/How-to-manage-resource-owner-login-in-CXF-tp5766808.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/