Affects Version/s: None
Fix Version/s: None
Component/s: Application Security > OAuth2
The portal instance is a resource and an authorisation server in the same time and the separation of the two aspects is not supported.
Here is the plan, a path to go on starting with the trusted application handling and checking the additional steps we can take to have the portal as a resource server.
- "Trusted OAuth2 application" for which the user would not be challenged
- we should at least have some story since we have identified the need several times already
- OAuth2 - Liferay as a resource server
With still generating and maintaining its own tokens
- Grant tokens from SAML assertions: when the instance is a registered SP (https://tools.ietf.org/html/rfc7522)
- Grant tokens from JWT tokens (https://tools.ietf.org/html/rfc7523)
- CXF has existing support for these: http://cxf.apache.org/docs/jaxrs-oauth2-assertions.html we could investigate its integration