THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Secure code acquisition with redirect URI
The following extension is supported to help public clients with redirect URIs to accept the code securely staring from CXF 3.0.
Note this extension will likely introduce the HMAC calculation in the next drafts, but the current approach can already help0-milestone2.
The public (mobile) client will include a 'code_verifier' value when requesting the authorization code and it will be saved by Authorization service, with the help of the registered AuthorizationCodeDataProvider into an instance of ServerAuthorizationCodeGrant. The client will next request a token providing the 'code' and 'code_challenge' - the latter will be compared by AuthorizationCodeGrantHandler with the original code_verifier. By default, the 'code_challenge' is expected to to the original 'code_verifier', but the grant handler can be registered with the custom org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer - CXF ships a DigestCodeVerifierTransformer which implements a transformation mentioned in the extension.
AccessTokenService
The role of AccessTokenService is to exchange a token grant for a new access token which will be used by the client to access the end user's resources.
Here is an example request log:
...