Access Token Types
Bearer
The following code fragment shows how a BearerAccessToken utility class can be used to create Bearer tokens:
import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
public class CustomOAuthDataProvider implements AuthorizationCodeDataProvider {
public ServerAccessToken createAccessToken(AccessTokenRegistration reg)
throws OAuthServiceException {
ServerAccessToken token = new BearerAccessToken(reg.getClient(), 3600L);
List<String> scope = reg.getApprovedScope().isEmpty() ?
reg.getRequestedScope() : reg.getApprovedScope();
token.setScopes(convertScopeToPermissions(reg.getClient(), scope));
token.setSubject(reg.getSubject());
token.setGrantType(reg.getGrantType());
// persist as needed and then return
return token;
}
// other methods not shown
}CustomOAuthDataProvider will also be asked by OAuthRequestFilter to validate the incoming Bearer tokens given that they typically act as database key or key alias, if no Bearer token validator is registered.
MAC
CXF 2.6.2 supports MAC tokens as specified in the latest MAC Access Authentication draft. MAC tokens offer an option for clients to demonstrate they 'hold' the token secret issued to them by AccessTokenService. It is recommended that AccessTokenService endpoint issuing MAC tokens enforces a two-way TLS for an extra protection of the MAC token data returned to clients.
The following code fragment shows how a MacAccessToken utility class can be used to create MAC tokens:
import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.tokens.mac.HmacAlgorithm;
import org.apache.cxf.rs.security.oauth2.tokens.mac.MacAccessToken;
public class CustomOAuthDataProvider implements AuthorizationCodeDataProvider {
public ServerAccessToken createAccessToken(AccessTokenRegistration reg)
throws OAuthServiceException {
// generate
ServerAccessToken token = new MacAccessToken(reg.getClient(),
HmacAlgorithm.HmacSHA1, 3600L);
// set other token fields as shown in the Bearer section
// persist as needed and then return
return token;
}
// other methods not shown
}One can expect the following response:
Response-Code: 200
Content-Type: application/json
Headers: {
Cache-Control=[no-store],
Pragma=[no-cache],
Date=[Thu, 12 Apr 2012 14:36:29 GMT]
}
Payload:
{"access_token":"5b5c8e677413277c4bb8b740d522b378", "token_type":"mac",
"secret"="1234568", algorithm="hmac-sha-1"}
Note that 'access_token' is the MAC key identifier, 'secret' - MAC key.
MacAccessTokenValidator has to be registered with OAuthRequestFilter for validating the incoming MAC tokens. This validator can get a reference to custom NonceVerifier with CXF possibly shipping a default implementation in the future.
The client can use CXF OAuthClientUtils to create Authorization MAC headers. All is needed is to provide references to ClientAccessToken representing the MAC token issued by AccessTokenService and HttpRequestProperties capturing the information about the current request URI:
String requestURI = "http://localhost:8080/calendar";
WebClient wc = WebClient.create(requestURI);
// represents client registration
OAuthClientUtils.Consumer consumer = getConsumer();
// the token issued by AccessTokenService
ClientAccessToken token = getToken();
HttpRequestProperties httpProps = new HttpRequestProperties(wc, "GET");
String authHeader = OAuthClientUtils.createAuthorizationHeader(consumer, token,
httpProps);
wc.header("Authorization", authHeader);
Calendar calendar = wc.get(Calendar.class);This code will result in something like:
GET /calendar HTTP/1.1
Host: localhost
Accept: application/xml
Authorization: MAC id="5b5c8e677413277c4bb8b740d522b378",
nonce="273156:di3hvdf8",
mac="W7bdMZbv9UWOTadASIQHagZyirA="
ext="12345678"where the 'ext' attribute is used to pass a timestamp value.