THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Assuming the 'mobileClient' has been registered as public one with no secret and the service has been set up to support such clients, the end user will get a chance to authorize this client the same way it can do confidential clients, and after this user gets back a code (delivered directly in the response HTML page by default) the user will enter the code securely into the device which will then replace it for a time-scoped access token by contacting AccessTokenService.
Secure code acquisition with redirect URI
PKCE support
CXF supports RFC-7636: Proof Key for Code Exchange by OAuth Public Clients (PKCE). If you are using the authorization code grant with public clients, it is recommended to use PKCE to avoid attacks which exploit the lack of a binding between the authorization code request and the token request. This binding is achieved for confidential clients by including the client_id in both requests, however with public clients we do not have a registered client_idThe following extension is supported to help public clients with redirect URIs to accept the code securely.
The public (mobile) client will include generates a 'code_verifier' value when requesting the authorization code and it will be saved by Authorization serviceand includes a related 'code_challenge' and optional 'code_challenge_method' to the authorization service. The authorization service will save the code_challenge value, with the help of the registered AuthorizationCodeDataProvider into an instance of ServerAuthorizationCodeGrant. The client will next request a token providing the 'code' and 'code_challengeverifier' - the latter which will be compared by AuthorizationCodeGrantHandler with the original 'code_verifierchallenge' value. By default, the 'code_challenge' is expected to be equal to the original 'code_verifier', but the grant handler can be registered with the custom org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer - CXF ships a DigestCodeVerifier which implements a transformation mentioned in the extension.
...