THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
One way to populate it is to register a custom SubjectCreator with either OidcAuthorizationCodeService or OidcImplicitService. For example, Fediz OIDC uses the following SubjectCreator: it accesses a user principal prepared by Fediz Authenticators and creates IdToken by converting an already available SAML token to IdToken and sets it on OidcUserSubject. In other cases a user principal may already have a prepared IdToken.
...
OidcAuthorizationCodeService and AccessTokenService provides a support OIDC Authorization Code flow. OidcAuthorizationCodeService is a simple AuthorizationCodeGrantService extension which enforces OIDC specific constraints. For example, see this line.. It can be registered like this.
This service issues a code grant, while AccessTokenService returns Access and Id tokens.
IdTokenResponseFilter (used by AccessTokenService) is where IdToken is actually added to the client response. For example, see this line.
...
OidcImplicitService is a simple ImplicitGrantService extension which enforces OIDC specific constraints and also adds IdToken is actually added to the client response. For example, see this line (Note on in this case Implicit Flow is supported due to OidcHybridService extending OidcImplicitService but OidcImplicitService can be registered directly).
Hybrid Flow
OidcHybridService supports Hybrid Flow by delegating to both OidcImplicitService and OidcAuthorizationCodeService. For example, see this line.
...
OidcKeysService returns a JWK key set containing a public verification JWK key. By default only a public key is returned by but the service can also be configured for JWK key to include the corresponding X509 certificate chain too. Use this service if IdToken is signed by a private RSA or EC key for the client be able to fetch the verification keys without having to import them into local key stores.
For example, see this line.
Fediz OIDC Provider
Fediz OIDC project provides a reference integration between CXF OIDC IDP code and its authentication systemFediz Authentication System. It has OIDC Core supported with a minimum amount of code and configuration.
It creates IdToken in a custom SubjectCreator as described above. Currently it depends one on CXF Ehcache OAuthDataProvider OOB so no custom persistence code is needed. Beside Besides that it provides a support for managing the client registrations. It registers OIDC services as JAX-RS endpoints.
...
OIDC RP client support is needed for the client application to redirect a user to OIDC IDP, get IdToken and validate itIdToken, optionally get UserInfo, and make both IdToken and UserInfo easily accessible to the client application code for it to be able to interact with the user.
Demos
BigQuery demo service is OAuth2 client which relies on CXF OIDC RP code to support interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.
...