CXF
  1. CXF
  2. CXF-4671

[OAuth2] Add option to not have user intervention

    Details

    • Type: Wish Wish
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.7.0
    • Fix Version/s: None
    • Component/s: JAX-RS Security
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part.

      Currently, I'm extending RedirectionBasedGrantService and overriding startAuthorization like this:

      @Override
      protected Response startAuthorization(MultivaluedMap<String, String> params) {
        super.startAuthorization(params);
        HttpSession session = getMessageContext().getHttpServletRequest().getSession();
        String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
        params.add("session_authenticity_token", sessionToken);
        params.add("oauthDecision", "allow");
        return super.completeAuthorization(params);
      }
      

      This works ok for me, but it would be nice if it were a part of the library.

        Activity

        Hide
        Sergey Beryozkin added a comment -

        We've agreed to explore the pre-authorized token option

        Show
        Sergey Beryozkin added a comment - We've agreed to explore the pre-authorized token option
        Hide
        Steven Tippetts added a comment -

        Sergey, thank you for your feedback. I'm not able to use the client credentials grant because my client is public and I need the implicit flow. However, I can use pre-authorized tokens. Thank you for suggesting that. In order to get the pre-authorized tokens working I need a change to the code. I'll create another issue for that change. This issue can be closed.

        Show
        Steven Tippetts added a comment - Sergey, thank you for your feedback. I'm not able to use the client credentials grant because my client is public and I need the implicit flow. However, I can use pre-authorized tokens. Thank you for suggesting that. In order to get the pre-authorized tokens working I need a change to the code. I'll create another issue for that change. This issue can be closed.
        Hide
        Sergey Beryozkin added a comment -

        Let me also ask - is client acting effectively as the end user ? If it is the same entity then may be it is the client credentials grant which has to be used ?

        Show
        Sergey Beryozkin added a comment - Let me also ask - is client acting effectively as the end user ? If it is the same entity then may be it is the client credentials grant which has to be used ?
        Hide
        Sergey Beryozkin added a comment -

        At the library level this is supported by the use of pre-authorized tokens - why can't you use it ?

        Show
        Sergey Beryozkin added a comment - At the library level this is supported by the use of pre-authorized tokens - why can't you use it ?
        Hide
        Steven Tippetts added a comment -

        I also added a snippet of code in my convertScopeToPermissions method of my ImplicitDataProvider object to check the requested scopes against a collection of allowed scopes that I store on a per client basis by overriding the Client object and adding an allowedScopes property.

        Although, as I look now at the code, I could probably add scope + "_status" parameters of the allowed scopes prior to the call to super.completeAuthorization(params) and remove the check in convertScopeToPermissions.

        Show
        Steven Tippetts added a comment - I also added a snippet of code in my convertScopeToPermissions method of my ImplicitDataProvider object to check the requested scopes against a collection of allowed scopes that I store on a per client basis by overriding the Client object and adding an allowedScopes property. Although, as I look now at the code, I could probably add scope + "_status" parameters of the allowed scopes prior to the call to super.completeAuthorization(params) and remove the check in convertScopeToPermissions.

          People

          • Assignee:
            Sergey Beryozkin
            Reporter:
            Steven Tippetts
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development