Versions Compared

Old Version 6

changes.mady.by.user Sergey Beryozkin

Saved on

compared with

New Version Current

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Table of Contents

Introduction

...

One way to populate it is to register a custom SubjectCreator with either OidcAuthorizationCodeService or OidcImplicitService. For example, Fediz OIDC uses the following SubjectCreator: it accesses a user principal prepared by Fediz Authenticators and creates IdToken by converting an already available SAML token to IdToken and sets it on OidcUserSubject. In other cases a user principal may already have a prepared IdToken. 

...

Services for supporting UserInfo requests and returning IdToken signature verification keys are also shipped. 

...

OIDC Flow Services

Authorization Code Flow

OidcAuthorizationCodeService and AccessTokenService provides a support OIDC Authorization Code flow. OidcAuthorizationCodeService is a simple AuthorizationCodeGrantService extension which enforces OIDC specific constraints. For example, see this line. 

This service issues a code grant, while AccessTokenService returns Access and Id tokens. 

IdTokenResponseFilter (used by AccessTokenService) is where IdToken is actually added to the client response. For example, see this line.

Implicit Flow

OidcImplicitService is a simple ImplicitGrantService extension which enforces OIDC specific constraints and also adds IdToken is actually added to the client response. For example, see this line (Note on this case Implicit Flow is supported due to OidcHybridService extending OidcImplicitService)In order to return an id_token, the OidcImplicitService should be configured as follows:

  1. If the response_type is "id_token token", then the IdTokenResponseFilter should be configured on the OidcImplicitService. The IdTokenResponseFilter in turn needs to know how to create an IdToken, so it must be configured with a IdTokenProvider implementation.
  2. If the response_type is "id_token", then a IdTokenProvider implementation should be configured directly on the OidcImplicitService.

Hybrid Flow

OidcHybridService supports Hybrid Flow by delegating to both OidcImplicitService and OidcAuthorizationCodeService. For example, see this line.

UserInfo Endpoint

UserInfoService returns UserInfo. It checks UserInfoProvider first, next - OidcUserSubject, and finally it defaults to converting the existing IdToken to UserInfo.

Note UserInfoService is accessed by a client which uses the access token issued to it during the user authentication process. Therefore this line enforces it - it will fail if the access token has not been successfully validated. For example, see this line.

JWK Keys Service

OidcKeysService returns a JWK key set containing a public verification JWK key. By default only a public key is returned by but the service can also be configured for JWK key to include the corresponding  X509 certificate chain too.  Use this service if IdToken is signed by a private RSA or EC key for the client be able to fetch the verification keys without having to import them into local key stores. The OidcKeysService can also return a public key stored in a JWK keys file, by specifying the id of the key via "rs.security.keystore.alias" and specifying the type of the keystore ("rs.security.keystore.type") as "jwk".For example, see this line

OidcDynamicRegistrationService

This service is available starting from CXF 3.1.8. It supports the dynamic client registration and management with OIDC specific properties being handled too. At the moment some of the advanced registration properties are not yet processed and linked to the way the core OIDC services operate but the service will be enhanced as needed going forward.

OidcConfigurationService

This service is available starting from CXF 3.1.8. It supports OIDC server configuration queries at ".well-known/openid-configuration".

Fediz OIDC

...

IDP

Fediz OIDC project provides a reference integration between CXF OIDC IDP code and its authentication systemFediz Authentication System. It has OIDC Core supported with a minimum amount of code and configuration.

It creates IdToken in a custom SubjectCreator as described above. Currently it depends one on CXF Ehcache OAuthDataProvider OOB so no custom persistence code is needed. Beside Besides that it provides a support for managing the client registrations. It registers OIDC services as JAX-RS endpoints.

...

OIDC RP client support is needed for the client application to redirect a user to OIDC IDP, get IdToken and validate itIdToken, optionally get UserInfo, and make both IdToken and UserInfo easily accessible to the client application code for it to be able to interact with the user.

Demos

BigQuery demo service is OAuth2 client which relies on CXF OIDC RP code to support interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.

...

BasicOidc demo service is not an OAuth2 client, but a basic JAX-RS server. This server works with an HTTP Browser client which uses Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in its code