[
https://issues.apache.org/jira/browse/CXF-4478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504060#comment-13504060
]
Sergey Beryozkin commented on CXF-4478:
---------------------------------------
> OAuth 1.0 must be used because it's more secure and have finalized signed-off
> documentation.
Put it this way, I do not accept the statement is is more secure - but I agree
it is secure and I'm also open to making it easier for developers who prefer to
stay with OAuth 1.0 to get more advanced scenarios implemented.
If you prefer OAuth 1.0 then I'm fine with that.
Now to move next, I need to have a clear understanding of the scenario you have
in mind. It does matter how the parameters are managed, whether they have to be
shared between request & access tokens, and whether the client is expected to
provide the additional parameters during accessing the protected resource or
not, because if yes then it means we need to make sure the custom parameters
are taking into the consideration during the signature validation.
So, give me a clear example and we will proceed from there
> [OAuth1.0] RequestTokenHandler doesn't support custom input parameters
> ----------------------------------------------------------------------
>
> Key: CXF-4478
> URL: https://issues.apache.org/jira/browse/CXF-4478
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
>
> According to the spec custom parameters can be added but currnnelty it's
> impossible to use them because:
> 1. there are no hooks in the handle class to be overridden.
> 2. RequestTokenRegistration object doesn't contain a map with custom
> parameters.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
