[aerogear-dev] Security on AeroGear

Sebastien Blanc scm.blanc at gmail.com
Tue Jul 2 05:58:36 EDT 2013 

On Tue, Jul 2, 2013 at 11:48 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> Good morning everyone, I'm planning to include JWS (to add digital
> signatures per mobile application)/JWT (to issue a token at each
> transaction or session) support on AeroGear and I was looking at OAuth2
> bearer token (which make use of JWT/JWS behind the scenes)
> implementation from RESTEasy.
>
> I was reading about how to properly include it and now we have a
> decision to make (we because it will affect the way the client side and
> security is not an island :). RESTEasy bearer tokens is completely tied
> to JBoss
> (
> http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446
> )
> and I'm not saying it is a bad thing, but with vert.x, TorqueBox,
> Nodej...I'm not sure if it's a good idea.
>

Well, one of the thing for the Clients libs is that we want to stay backend
agnostic, so yea ... not really a good idea

>
> An example of Bearer Token usage extracted from RFC
> (http://tools.ietf.org/html/rfc6750)
>
>       HTTP/1.1 200 OK
>       Content-Type: application/json;charset=UTF-8
>       Cache-Control: no-store
>       Pragma: no-cache
>
>       {
>         "access_token":"mF_9.B5f-4.1JqM",
>         "token_type":"Bearer",
>         "expires_in":3600,
>         "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
>       }
>
> Pros: RESTEasy team already did it
> Cons: The configuration setup might be hard to newcomers (please look at
> the documentation
>
> http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446
> ),
> we will be tied to JBoss.
>

See my previous comment

>
> So, do we have an alternative? Yes. Make use of JWT module only from
> RESTEasy and we still can benefit of digital signatures and tokens.
>
> An example of JWT usage extracted from RFC
> (http://tools.ietf.org/html/draft-jones-json-web-token-10#page-6)
>
> {
>      "iss":"joe",
>      "exp":1300819380,
>      "http://example.com/is_root":true
> }
>
> Pros: Flexibility, we have people already doing it
> (https://wiki.mozilla.org/WebAPI/WebPayment). We will make use of
> RESTEasy module and do not reinvent the wheel.
>
> Cons: The authorization model must be implemented and adapted to our needs
>
> +1


> So what do you think?
>
> ps: SAML is not an option for me now.
>
> --
> abstractj
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130702/60a6dc44/attachment-0001.html

More information about the aerogear-dev mailing list