[jira] [Commented] (CXF-4656) [OAuth 2] Add attributes property to UserSubject object

[Sergey Beryozkin (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13505579#comment-13505579
 ] 

Sergey Beryozkin commented on CXF-4656:
---------------------------------------

Thanks for the update; 

I wonder if you doing it right or not... The token subject is the end user 
subject which was created by ImplicitGrantService by calling on the 
implementation of AuthorizationCodeDataProvider, it is not a very good name for 
the provider used with the Implict service :-) but the responsibility of the 
provider implementing AuthorizationCodeDataProvider is the same really whether 
the code or implicit grant is used...

So when this subject is created by ImplicitGrantService, only the principal 
name and roles if any are added - I'll need to make it easier to customize it 
by at least making the method where it is done protected, but at the moment it 
is not even possible to customize it. 

Next, AccessTokenService is expected to use 
org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler - 
you can def write your own but the point is that it is exactly that  subject 
that was created at the previous step which is supposed to be presented as the 
token subject to the data provider - otherwise, if the token subject is set to 
be the same as the client subject then the filter will let the client access 
the resources of all the end users...

Can you have a look please at AuthorizationCodeGrantHandler ? Do you use it and 
if you don't then is it what you do to in your custom grant handler ?

thanks



                
> [OAuth 2] Add attributes property to UserSubject object
> -------------------------------------------------------
>
>                 Key: CXF-4656
>                 URL: https://issues.apache.org/jira/browse/CXF-4656
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Steven Tippetts
>
> I need to be able to provide a few authentication attributes to my endpoints 
> along with the login and roles. These attributes are things like the 
> principal's id or name and come from the authentication provider. An 
> "attributes" property that is a Map<String, String> in the UserSubject object 
> would work out nicely.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira