Some weirdness in oauth2 module

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Some weirdness in oauth2 module

Romain Manni-Bucau
Hi CXF dev,

Reviewing and integrating the CXF OAuth2 module in Meecrowave I got some
weirdness. Opened issues about:

- https://issues.apache.org/jira/browse/CXF-8369: code_challenge_method is
not stored in authorization_code/PKCE dance so you have to hardcode the
method in your deployment which is not always desired - and can
unlikely/theoretically lead to comparing a S256 challenge with a plain
verifier. I guess it is just a matter of forwarding this value in all DTO
but wonder if there was a rational about it.
- https://issues.apache.org/jira/browse/CXF-8368: using jose state encoding
(to be stateless) the code_challenge is forwarded too late in the logic so
it makes it ignored (just inversing some calls makes it working
- https://issues.apache.org/jira/browse/CXF-8370: to call authorize
endpoint of authorization_code flow you must be logged (define a user
subject) so how are you supposed to log in using authorization_code?

Is PKCE supported or are only bricks provided? Didn't find the doc about it
.

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Reply | Threaded
Open this post in threaded view
|

Re: Some weirdness in oauth2 module

coheigea
Administrator
Hey Romain,

PKCE is supported:
http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-PKCEsupport

However we didn't have any system tests for JoseSessionTokenProvider, so
CXF-8368 wasn't caught. It's fixed now. I'll take a look at the other
issues next week.

Colm.

On Tue, Nov 10, 2020 at 7:50 PM Romain Manni-Bucau <[hidden email]>
wrote:

> Hi CXF dev,
>
> Reviewing and integrating the CXF OAuth2 module in Meecrowave I got some
> weirdness. Opened issues about:
>
> - https://issues.apache.org/jira/browse/CXF-8369: code_challenge_method is
> not stored in authorization_code/PKCE dance so you have to hardcode the
> method in your deployment which is not always desired - and can
> unlikely/theoretically lead to comparing a S256 challenge with a plain
> verifier. I guess it is just a matter of forwarding this value in all DTO
> but wonder if there was a rational about it.
> - https://issues.apache.org/jira/browse/CXF-8368: using jose state
> encoding
> (to be stateless) the code_challenge is forwarded too late in the logic so
> it makes it ignored (just inversing some calls makes it working
> - https://issues.apache.org/jira/browse/CXF-8370: to call authorize
> endpoint of authorization_code flow you must be logged (define a user
> subject) so how are you supposed to log in using authorization_code?
>
> Is PKCE supported or are only bricks provided? Didn't find the doc about it
> .
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://rmannibucau.metawerx.net/> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
>