Hi, Responses inline below.
On Sun, Jul 28, 2019 at 8:46 AM vishwanath <akvishwan...@gmail.com> wrote: > > 1) I am able to test Authorization code work flow and implicit flow. But I > want to implement oauth PKCE flow I received authorization code from first > step but > second step still expecting client_secret with code_verifier but as per > oauth standard client_secret is not required for pkce right ? also how to > implement DigestCodeVerifier(RS256) instead of PlainCodeVerifier > > > https://localhost:8443/oidc/idp/authorize?client_id=cQtfnlT6xwc4xQ&response_type=code&scope=openid&redirect_uri=https://localhost:8080/test&state=state-8600b31f-52d1-4dca-987c-386e3d8967e9&code_challenge_method=S256&code_challenge=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU&audience=https://zsoasec-racf.ch.zurich.com/zsoaidp-oidc/ > I think this is just a matter of how you are setting up the service. See for a system test that puts the AccesTokenService on a separate endpoint with no authentication requirements for public clients: https://github.com/apache/cxf/blob/563b1ec1f5b2186003843d5e686cc764efa00bb3/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml#L131 To implement the DigestCodeVerifier you need to inject it into the AuthorizationCodeGrantHandler, see here: https://github.com/apache/cxf/blob/563b1ec1f5b2186003843d5e686cc764efa00bb3/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml#L148 > 2) Today ID token is JWT token which token we should use to call Rest call > access token or ID token ? > Access Token. ID Token is only meant for the client. > > 3) JWT token generated by OIDC contains claims audience(aud) by default > assigned value client id any specific reason ? > Yes, the IdToken is targeted at the client. Colm. > > Regards > Kashi > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com