Client Credentials grant support in the Apache CXF Fediz OIDC service

Apache CXF Fediz ships with a powerful and flexible OpenId Connect (OIDC) service that can be used to implement SSO for your organisation. All of the core OIDC flows are supported - Authorization Code flow, Implicit and Hybrid flows. As OIDC is just an identity layer over OAuth 2.0, it's possible to use Fediz as a purely OAuth 2.0 service as well, and all of the authorization grants defined in the spec are also fully supported. In this post we will look at support for one of these authorization grants in Fediz 1.3.1 - the client credentials grant.

1) The OAuth 2.0 client credentials grant

The client credentials grant is used for when the client is requesting access for a resource that is owned or controlled by that client. There is no enduser in this scenario, unlike say the authorization code flow or implicit flow. The client simply calls the token endpoint of the authorization service using "client_credentials" for the "grant_type" parameter. In addition, the client must authenticate (e.g. by supplying client_id and client_secret parameters). The authorization service authenticates the client and then returns an access token.

2) Supporting the client credentials grant in Fediz OIDC

It's easy to support the client credentials grant in the Fediz OIDC service.

a) Add the ClientCredentialsGrantHandler

Firstly, the ClientCredentialsGrantHandler must be added to the list of grant handlers supported by the token service as follows:

	<bean id="refreshTokenHandler"
	class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler">
	<property name="dataProvider" ref="oauthProvider"/>
	</bean>
	<bean id="clientCredsHandler"
	class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler">
	<property name="dataProvider" ref="oauthProvider"/>
	</bean>
	<util:list id="grantHandlers">
	<ref bean="refreshTokenHandler"/>
	<ref bean="clientCredsHandler"/>
	</util:list>
	<bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
	<property name="dataProvider" ref="oauthProvider"/>
	<property name="responseFilter" ref="idTokenFilter"/>
	<property name="grantHandlers" ref="grantHandlers"/>
	<property name="canSupportPublicClients" value="true"/>
	</bean>

view raw gistfile1.txt hosted with ❤ by GitHub

b) Add a way of authenticating the client

The next step is to add a way of authenticating the client credentials. Fediz uses JAAS to make it easy for the deployer to plug in different JAAS LoginModules if required. To configure JAAS, you must specify the name of the JAAS LoginModule in the configuration of the OAuthDataProviderImpl:

	<bean id="oauthProvider"
	class="org.apache.cxf.fediz.service.oidc.OAuthDataProviderImpl"
	init-method="init" destroy-method="close">
	<!-- List of accepted scopes -->
	<property name="supportedScopes" ref="supportedScopes"/>
	<!--
	List of scopes that the consent/authorization form should make
	selected by default. For example, asking a user to do an extra click
	to approve an "oidc" scope is a redundant operation because this scope
	is required anyway.
	-->
	<property name="defaultScopes" ref="coreScopes"/>
	<property name="invisibleToClientScopes" ref="invisibleToClientScopes"/>
	<property name="contextName" value="sts"/>
	</bean>

view raw data-manager.xml hosted with ❤ by GitHub

c) Example JAAS configuration

For the normal OIDC flows, the Fediz OIDC uses a WS-Federation filter to redirect the browser to the Fediz IdP, where the end user is then ultimately authenticated by the STS that bundles with Fediz. Therefore it seems like a natural fit to re-use the STS to authenticate the client in the Fediz OIDC. Follow steps (a) and (b) above. Start the Fediz STS, but before starting the OIDC service, specify the "java.security.auth.login.config" system property to point to the following JAAS configuration file:

	sts {
	org.apache.cxf.ws.security.trust.STSLoginModule required
	require.roles="true"
	disable.on.behalf.of="true"
	wsdl.location="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA/STSServiceTransportUT?wsdl"
	service.name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"
	endpoint.name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}TransportUT_Port";
	};

view raw sts.jaas hosted with ❤ by GitHub

You must substitute the correct port for "${idp.https.port}". The STSLoginModule takes the given username and password supplied by the client and uses them to authenticate to the STS.