[aerogear-dev] OAuth2 Adapter

Summers Pittman supittma at redhat.com
Tue Aug 27 10:26:07 EDT 2013 

On 08/26/2013 01:11 PM, Lucas Holmquist wrote:
> We are planning on adding an OAuth2 adapter to the JS library for 1.3.0. We are going to code against the google OAuth2 playground stuff,  but trying to follow the spec as much as possible and try to be as generic as we can.
>
> I'm not sure if this should be an "adapter" or something different.  If it is an adapter of the Authentication plugin( not  sure what we are calling the different pieces.  pipeline, data manager, etc.), then we should expect to see authentication methods( enroll, login, logout ),  but i think this "adapter" should be much more than that.
>
> It should be used to connect to secured services( api ) that a user allows, such as GCM for chrome or the google+ platform, or some other enterprisey thing.
>
> I'm wondering if this should be a standalone thing.  I kind of like this idea so when we do social login, which will most likely have OAuth2,  we can just access it.
>
> Thoughts?
I feel like OAuth2 could be an Adapter/AuthenticationModule rather easily.

** login -> if tokens are provided in the config use them.
                     if tokens are uptoDate, onSuccess
                     else if tokens are expired, renew them
                         if renew succeeds onSuccess
                         else onFailure
                 else if credentials provided try login
                     if login fails (redirect to some click through)
                        call onFailure with useful data included?
                     if login succeeds
                       update tokens,call onSuccess

** logout ->  trash local tokens,
                      unregister device (call /logout or w/e)
                      onSuccess

** enroll -> throw not implemented exception.  Allow users to override 
if necessary?

One of the things added to Android in 1.1 was a isRetry method on the 
Module.  It is responsible for trying to renew any tokens you had in the 
event of a failure.  It is currently used in Digest Authentication.  So 
if we have our module on a Pipe and it fails because the tokens expired, 
it can refresh the tokens before giving up.

Just my .02 (still beaning up)

One of the things I worry about is us getting "close enough". OAuth2 is 
a bit of a beast and everyone seems to have their own libraries for how 
to handle it (on the Java/Android side anyway).  A way around that is to 
try to make it easy to slot in calls / workflows for a third party but I 
have no idea how to begin approaching that in a universal way.


>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130827/89e79490/attachment.html

More information about the aerogear-dev mailing list