...

Introduction

New:

• OAuth2 module now depends on CXF cxf-rt-rs-security-jose module with the utility code in place to support a number of OAuth2 features depending on JOSE
• CXF 3.0.0-milestone2 makes it simpler to encrypt the token and other OAuth2 server model state
• OAuthDataProvider has a new revokeToken() method added  to support the client-driven token revocation
• AccessTokenValidationService has been enhanced to ensure the validation can proceed only if the authenticated Principal is available.   
• OAuthRequestInterceptor has been added to make it easier for non-JAXRS endpoints to use OAuth2 tokens
  
  

CXF provides the implementation of OAuth 2.0. See also the JAX-RS OAuth page for information about OAuth 1.0.

...

Starting from CXF 2.7.7 an audience parameter is supported during the client token requests.

OAuthJSONProvider

org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider is a JAX-RS MessageBodyWriter which supports returning ClientAccessToken and OAuthError representations to the client in a JSON format required by OAuth2 spec. It is also a JAX-RS MessageBodyReader that is used by client OAuthClientUtils (see below) to read the responses from AccessTokenService.

Register it as a provider with a JAXRS AccessTokenService endpoint.

Alternatively, if you prefer, a custom MessageBodyWriter implementation can be registered instead.

AccessTokenValidationService

...