THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
OidcAuthorizationCodeService and AccessTokenService provides a support OIDC Authorization Code flow. OidcAuthorizationCodeService is a simple AuthorizationCodeGrantService extension which enforces OIDC specific constraints. For example, see this line.
IdTokenResponseFilter (used by AccessTokenService) is where IdToken is actually added to the client response. For example, see this line.
Implicit Flow
OidcImplicitService is a simple ImplicitGrantService extension which enforces OIDC specific constraints and also adds IdToken is actually added to the client response. For example, see this line (Note on this case Implicit Flow is supported due to OidcHybridService extending OidcImplicitService).
Hybrid Flow
OidcHybridService supports Hybrid Flow by delegating to both OidcImplicitService and OidcAuthorizationCodeService. For example, see this line.
UserInfo Endpoint
UserInfoService returns UserInfo. It checks UserInfoProvider first, next - OidcUserSubject, and finally it defaults to converting the existing IdToken to UserInfo.
Note UserInfoService is accessed by a client which uses the access token issued to it during the user authentication process. Therefore this line enforces it - it will fail if the access token has not been successfully validated. For example, see this line.
JWK Keys Service
OidcKeysService returns a JWK key set containing a public verification JWK key. By default only a public key is returned by the service can be configured for JWK key to include the corresponding X509 certificate chain too. Use this service if IdToken is signed by a private RSA or EC key for the client be able to fetch the verification keys without having to import them into local key stores.
For example, see this line.
Fediz OIDC Provider
Fediz OIDC project provides a reference integration between CXF OIDC IDP code and its authentication system. It has OIDC Core supported with a minimum amount of code and configuration.
It creates IdToken in a custom SubjectCreator as described above. Currently it depends one CXF Ehcache OAuthDataProvider OOB so no custom persistence code is needed. Beside that it provides a support for managing the client registrations. It registers OIDC services as JAX-RS endpoints.
While some implementation details may change going forward (example, the alternative data provider may get introduced, etc), for the most part it shows that creating IdToken is what is really needed to get the container integrated with the CXF OIDC code.
OIDC RP support
OIDC RP client support is needed for the client application to redirect a user to OIDC IDP, get IdToken and validate it, optionally get UserInfo, and make both IdToken and UserInfo easily accessible to the client application code for it to be able to interact with the user.
Demos
BigQuery demo service is OAuth2 client which relies on CXF OIDC RP code to support interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.
For example, the context is injected and used to get the access token and the user info. See the context with the comments on how to configure RP filters.
BasicOidc demo service is not an OAuth2 client, but a basic JAX-RS server. This server works with an HTTP Browser client which uses Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in its code
...