Sorry for the delay in looking into this. I've fixed the infinite loop when a WSDL references an IssuedToken policy that ends up pointing the STSClient back to the same STS (https://issues.apache.org/jira/browse/CXF-8076).
With regards to your use-case, I updated the CrossDomainTest to get it to work. The trick is to supply two STSClient configurations - a "Default" one that gets used when talking to the first STS, and a second one which is used for the call to the second STS (it's configured using a "name" that corresponds to that of the first STS): https://github.com/apache/cxf/blob/master/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client.xml Colm. On Thu, May 30, 2019 at 1:11 PM Sölvi Páll Ásgeirsson <sol...@gmail.com> wrote: > Yes, exactly. > The relevant policy is here: > https://gist.github.com/solvip/c842a5a13a43c24e94abf9073039cab5 > > Cheers > Sölvi > > On Thu, May 30, 2019 at 10:56 AM Colm O hEigeartaigh > <cohei...@apache.org> wrote: > > > > What does the security policy of vendor-sts look like? I guess it > contains > > an IssuedToken policy to result in an infinite loop in the STSClient? > > > > Colm. > > > > On Thu, May 23, 2019 at 10:59 AM Sölvi Páll Ásgeirsson <sol...@gmail.com > > > > wrote: > > > > > Hello > > > > > > I'm trying to use CXF as a client towards a set of WCF services > > > provided by a third party. > > > The WCF services are protected with WS-Trust and they trust tokens > > > issued/signed by a certain STS, vendor-sts. The vendor-sts is a MS > > > ADFS 2.0(I think) service. > > > > > > I cannot authenticate directly towards the vendor-sts, but must > > > instead use the issuedtokenmixedsymmetricbasic256 endpoint of the > > > vendor-sts. The vendor-sts trusts tokens signed by a certificate of > > > mine and issues new ones which I can pass on to their services. > > > > > > I have (somewhat) configured CXF to be a client towards these > > > services, as in this gist: > > > https://gist.github.com/solvip/1a70f3422a67ceb7a8d66a11f740f600 > > > > > > However, this naturally results in an infinite loop as the STSClient > > > tries to fetch a token from vendor-sts to satisfy the vendor-sts > > > policy for that endpoint. > > > > > > How can I tell CXF to first contact my STS for a token to pass on > > > towards the vendor-sts? I've looked at the cxf sts cross_domain test; > > > but I'm not sure that it applies to my use case as I have no control > > > over the vendor STS or vendor service configuration. > > > > > > Many thanks & best regards > > > Sölvi > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com