Skip to main content

JAX-RS and OAuth2

CXF 2.6.0 provides an initial implementation of http://tools.ietf.org/html/draft-ietf-oauth-v2OAuth 2.0.

See also the CXF Website for information about OAuth 1.0. Authorization Code, Implicit and Client Credentials grants are currently supported with other grant handlers to be added later. Custom grant handlers can also be registered.

OAuth2 is a new protocol which offers a complex yet elegant solution toward helping end users (resource owners) authorize third-party providers to access their resources. The OAuth2 flow is closely related to the original OAuth 1.0 3-leg flow is called Authorization Code and involves 3 parties: the end user, the third party service (client) and the resource server which is protected by OAuth2 filters. Typically a client offers a service feature that an end user requests and which requires the former to access one or more protected resources on behalf of this user which are located at the resource server. For example, the client may need to access the end user's photos in order to print them and post to the user or read and possibly update a user's calendar in order to make a booking.

In order to make it happen, the third-party service application/client needs to register itself with the OAuth2 server. This happens out-of-band and after the registration the client gets back a client key and secret pair. Typically the client is expected to provide the name and description of the application, the application logo URI, one or more redirect URIs, and other information that may help the OAuth2 authorization server to identify this client to the end user at the authorization time. From then on, the authorization code flow works like this:

  1. End User requests the third-party service using a browser.
  2. The client redirects the end user to OAuth2 Authorization Service, adding its client id, the state, redirect URI and the optional scope to the target URI. The state parameter represents the current end user's request, redirect URI - where the authorization code is expected to be returned to, and the scope is the list of opaque permissions that the client needs in order to access the protected resources.
  3. Authorization Service will retrieve the information about the client using its client id, build an HTML form and return it to the end user. The form will ask the user if a given third-party application can be allowed to access some resources on behalf of this user.
  4. If the user approves it then Authorization Service will generate an authorization code and redirect the user back to the redirect uri provided by the client, also adding a state parameter to the redirect URI.
  5. The client requests an access token from OAuth2 Access Token Service by providing an authorization code grant.
  6. After getting an access token token, the service finally proceeds with accessing the current user's resources and completes the user's request.

As you can see the flow can be complex yet it is very effective. A number of issues may need to be taken care along the way such as managing expired tokens, making sure that the OAuth2 security layer is functioning properly and is not interfering with the end user itself trying to access its own resources, etc. Please check the http://tools.ietf.org/html/draft-ietf-oauth-v2specification and the Wikipedia article as well as other resources available on the WEB for more information you may need to know about OAuth2.

CXF JAX-RS gives the best effort to making this process as simple as possible and requiring only a minimum effort on behalf of OAuth2 server developers. It also offers the utility code for greatly simplifying the way the third-party application can interact with the OAuth2 service endpoints.

Maven dependency needed for CXF's implementation of OAuth2:

<dependency>
   <groupId>org.apache.cxf</groupId>
   <artifactId>cxf-rt-rs-security-oauth2</artifactId>
   <version>2.6.0</version>
</dependency>

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!