Versions Compared

Old Version 8

changes.mady.by.user Sergey Beryozkin

Saved on

compared with

New Version 9

changes.mady.by.user Sergey Beryozkin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

OidcAuthorizationCodeService is a simple AuthorizationCodeGrantService extension which enforces OIDC specific constraints. It can be registered like this. 

This service issues a code grant, while AccessTokenService returns Access and Id tokens. 

IdTokenResponseFilter (used by AccessTokenService) is where IdToken is actually added to the client response. For example, see this line.

Implicit Flow

OidcImplicitService is a simple ImplicitGrantService extension which enforces OIDC specific constraints and adds IdToken to the client response. For example, see this line (Note in this case Implicit Flow is supported due to OidcHybridService extending OidcImplicitService but OidcImplicitService can be registered directly). 

Hybrid Flow

OidcHybridService supports Hybrid Flow by delegating to both OidcImplicitService and OidcAuthorizationCodeService. For example, see this line. 

UserInfo Endpoint

UserInfoService returns UserInfo. It checks UserInfoProvider first, next - OidcUserSubject, and finally it defaults to converting the existing IdToken to UserInfo.

Note UserInfoService is accessed by a client which uses the access token issued to it during the user authentication process. Therefore this line enforces it - it will fail if the access token has not been successfully validated. For example, see this line.

JWK Keys Service

OidcKeysService returns a JWK key set containing a public verification JWK key. By default only a public key is returned but the service can also be configured for JWK key to include the corresponding  X509 certificate chain too.  Use this service if IdToken is signed by a private RSA or EC key for the client be able to fetch the verification keys without having to import them into local key stores.For example, see this line.


Fediz OIDC IDP

Fediz OIDC project provides a reference integration between CXF OIDC IDP code and Fediz Authentication System. It has OIDC Core supported with a minimum amount of code and configuration.

It creates IdToken in a custom SubjectCreator as described above. Currently it depends on CXF Ehcache OAuthDataProvider OOB so no custom persistence code is needed. Besides that it provides a support for managing the client registrations. It registers OIDC services as JAX-RS endpoints.

...