Details
-
Wish
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
2.7
-
None
-
None
-
Unknown
Description
I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part.
Currently, I'm extending RedirectionBasedGrantService and overriding startAuthorization like this:
@Override protected Response startAuthorization(MultivaluedMap<String, String> params) { super.startAuthorization(params); HttpSession session = getMessageContext().getHttpServletRequest().getSession(); String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN); params.add("session_authenticity_token", sessionToken); params.add("oauthDecision", "allow"); return super.completeAuthorization(params); }
This works ok for me, but it would be nice if it were a part of the library.