Meecrowave OAuth2

Starting with version 0.3.0.



A small OAuth2 server based on CXF implementation.

Here is the current configuration (mainly based on CXF one):

Name Description


How long an access token is valid, default to 3600s


Is authorization code flow supported


Should unsecured requests be blocked


Is a client mandatory or can a token be issued without any client


Comma separated list of default scopes


The algorithm for the key for the encrypted provider


The key for encrypted provider


Comma separated list of invisible to client scopes


JCache configuration uri for the cache manager (jcache or provider)


Should JCache JMX MBeans be enabled


The loader bean or class name


Should JCache statistics be enabled


Should JCache store jwt token key only (jcache provider)


Should JCache store value or not


The writer bean or class name


JPA database driver for jpa provider


JPA database password for jpa provider


JPA database url for jpa provider


JPA database username for jpa provider


JPA max active connections for jpa provider


JPA max idle connections for jpa provider


JPA max wait for connections for jpa provider


JPA persistence unit properties for jpa provider


should connections be tested on borrow for jpa provider


should connections be tested on return for jpa provider


validation interval for jpa provider


validation query for jpa provider


The jwt claims configuration


Is partial match for scope validation activated


Which provider type to use: jcache[-code], jpa[-code], encrypted[-code]


For authorization code flow, should redirect uri be matched with application one


For authorization code flow, how long a session can be


For authorization code flow, the scopes using no consent


For authorization code flow, should the registered uri be used


Is issuing of access token issuing a refreh token too


How long a refresh token is valid, default to eternity (0)


Should refresh token be recycled


Comma separated list of required scopes


Are pre-authorized token supported


Are public clients supported


Are token flows supported


Are all client scopes used for refresh tokens


Should jaas be used - alternative (default) is to delegate to meecrowave/tomcat realms


Should access token be jwt?


Should custom errors be written


Should optional parameters be written

These options are available through the CLI or through properties as usually with Meecrowave configuration.

Note that meecrowave also provides a bundle which is an executable jar to run an OAuth2 server.

Here is a sample usage of that bundle:

java -jar meecrowave-oauth2-0.3.1-bundle.jar --users test=test --roles test=test

Then just test your token endpoint:

curl -XPOST http://localhost:8080/oauth2/token -d username=test -d password=test -d grant_type=password

And you should get something like:

these example use inline users but you should configure a realm for a real usage.
this module is interesting if you plan to base your application development on Meecrowave because it shows how to use CLI configuration and wire it in your application but also how to use a 3rd party library (CXF there) and build a fatjar.

Authorization code case

Authorization code flow is a bit more complicated but services (endpoints) can be activated (see configuration - --oauth2-authorization-code-support).

You will need to configure CXF to point to the keystore/key to crypt/sign the token in session. It is properties based. All CXF properties ( are supported but prefixed with oauth2.cxf. to avoid to mix it with another configuration starting with rs..

For instance you can use: = jks = /opt/keystores/oauth2.jks = password = alice = pwd