[aerogear-dev] Security on AeroGear

[Bruno Oliveira]

Good morning everyone, I'm planning to include JWS (to add digital 
signatures per mobile application)/JWT (to issue a token at each 
transaction or session) support on AeroGear and I was looking at OAuth2 
bearer token (which make use of JWT/JWS behind the scenes) 
implementation from RESTEasy.

I was reading about how to properly include it and now we have a 
decision to make (we because it will affect the way the client side and 
security is not an island :). RESTEasy bearer tokens is completely tied 
to JBoss 
(http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446) 
and I'm not saying it is a bad thing, but with vert.x, TorqueBox, 
Nodej...I'm not sure if it's a good idea.

An example of Bearer Token usage extracted from RFC 
(http://tools.ietf.org/html/rfc6750)

      HTTP/1.1 200 OK
      Content-Type: application/json;charset=UTF-8
      Cache-Control: no-store
      Pragma: no-cache

      {
        "access_token":"mF_9.B5f-4.1JqM",
        "token_type":"Bearer",
        "expires_in":3600,
        "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
      }

Pros: RESTEasy team already did it
Cons: The configuration setup might be hard to newcomers (please look at 
the documentation 
http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446), 
we will be tied to JBoss.

So, do we have an alternative? Yes. Make use of JWT module only from 
RESTEasy and we still can benefit of digital signatures and tokens.

An example of JWT usage extracted from RFC 
(http://tools.ietf.org/html/draft-jones-json-web-token-10#page-6)

{
     "iss":"joe",
     "exp":1300819380,
     "http://example.com/is_root":true
}

Pros: Flexibility, we have people already doing it 
(https://wiki.mozilla.org/WebAPI/WebPayment). We will make use of 
RESTEasy module and do not reinvent the wheel.

Cons: The authorization model must be implemented and adapted to our needs

So what do you think?

ps: SAML is not an option for me now.

-- 
abstractj