-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 3.0
-
Component/s: JAX-RS, JAX-RS Security
-
Labels:None
-
Estimated Complexity:Unknown
SessionAuthenticityTokenProvider accepts only CXF MessageContext which is not sufficient for validating data like temporarily codes, etc.
For example, when the user is redirected to AuthorizationService to authorize a grant request the service will challenge the user with the authorization form, at this point custom SessionAuthenticityTokenProvider should be able to send a temp code to the user's mobile/email and request the user to enter this code into the form and then validate it on the user confirmation.