[
https://issues.apache.org/jira/browse/CXF-7137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15671997#comment-15671997
]
Sergey Beryozkin commented on CXF-7137:
---------------------------------------
Hi, as far as I'm aware, a client secret is only issued by Authorization
Service only after the successful client registration, with a (confidential web
server) client keeping it private and only using when talking to
AccessTokenService.
I don't understand why would this client make this secret visible as part of
its Swagger API Docs - that would a security leak.
Can you explain please how does it work ?
Thanks
> Allow OAuth2 customization via Swagger2Feature
> ----------------------------------------------
>
> Key: CXF-7137
> URL: https://issues.apache.org/jira/browse/CXF-7137
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 3.1.8
> Reporter: Alexander K.
>
> It seems that there is no way to customize initOAuth() details like clientId,
> clientSecret, realm, appName, etc. for SwaggerUI-OAuth integration. This will
> allow Swagger-UI authorization for protected CXF REST services by an
> authorization server such as Keycloak.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
