[security-dev] New SSO/OAuth2 Project

Boleslaw Dawidowicz bdawidow at redhat.com
Thu Apr 18 17:21:59 EDT 2013

On Apr 18, 2013, at 9:38 PM, Bill Burke <bburke at redhat.com> wrote:

> On 4/18/2013 11:52 AM, Bolesław Dawidowicz wrote:
>> Ok, but first of all I would like to understand better where Bill is
>> aiming and what does he want to cover. From the requirements it looks
>> like everything tbh
> Boleslaw.  I told Markthat I didn't want to do this without signoff from 
> both Anil and *YOU*.  As Anil said, I've been working on OAuth2/REStful 
> IDM for awhile now (Since September 2012) in some form or another and 
> already have something being used by people. Resteasy has also had 
> rudimentary OAuth1 support for years now.  But, I don't want to compete 
> with another JBoss project.  To some degree, I don't want to step on any 
> toes either, but I also want something usable!

I know your involvement in exploring OAuth and respect it. We were quite counting on reusing your work. Especially example that you shared in January was very interesting. 

I was mainly shocked with scope of your email as it announced whole new huge identity related project out of the sudden. A lot from your listed requirements I was expecting to see as part of PicketLink. I have also sent you email two weeks ego describing in which direction my team is looking at in quite detailed way - without reply. Therefore I assume you know and understand while I'm puzzled here.

> It seemed to me that you guys were already extremely busy with the IDM 
> API, AS8 security SPI/AP rework, and all the other WS-*/Oasis specs.  I 
> saw Anil's hacked together, zero functionality IDP UI on OpenShift.  It 
> was clear he was busy with other things.  You go to the Picketlink 
> webpage and it looks nothing like a solution.  Links to incomplete 
> projects, unreleased code, incomplete requirements documents.
> What do you think should be done by this new project vs. Picketlink?  I 
> thought I would build something on top of:
> http://www.jboss.org/picketlink/IDM.html
> Isn't that your project Boleslaw?  Your IDM project isn't a good enough 
> division of labor/SPI between the two projects?  You guys are already 
> doing this?  Or just planned on doing this?

I'm not really sure why are you referring to IDM in this way… 

PicketLink IDM was founded by me and Anil few years ago. 1.x failed to take off and I described the context too many times already to repeat it. I have done my best to contribute experience from the past into new PicketLink initiative that ended with current 3.x work that is happening here. 

Seeing all great work provided by Anil, Shane, Pedro, Bruno and others in recent months I find reference to "incomplete projects, unreleased code, incomplete requirements documents." quite unfair. 

There was a lot of feedback provided by many camps into requirements for PicketLink. Just to name JDF, AeroGear or Portal. I could dig out what you have replied me when I asked you to contribute to requirement document but I don't think it is worth my time and won't help this discussion. At some point I invested significant time to get different people involved and aware about new activity in PicketLink. Therefore in fairness you shouldn't bash this project like that if you ignored the opportunity to bring in your requirements. 

>> We are very interested for example to have full OAuth2 support (server
>> side) in PL - even in subsystem. Better with whole SCIM implementation
>> and handy REST endpoints. So if this could be provided by Bill I'm more
>> then happy to benefit from his project in our identity related components.
> SCIM is interesting for identity management, not so interesting or 
> needed for auth or even app development.

I admit SCIM is very simple but on this side as a standard REST API I find it pretty interesting

>> I'm also interested to learn if Bill is aiming to cover full OAuth2 spec
>> in his implementation or only server side application flow. Because
>> otherwise it will be hard to reuse on our side and I imagine it will be
>> similar for AeroGear as well.
> YOu need to specify what you mean by "server-side application flow 
> only".  OAuth from a client perspective (thirdparty or user agent) is 
> really very simple.  Its just a matter of the client of obtaining a 
> token and transmitting it via a bearer token header.  The code I 
> currently ship with resteasy has an auth server, oauth thirdparty, and 
> user examples.  So, while I dont' cover every flow type in OAuth 
> (specifically the "implicit" model as it is very insecure (see 
> Facebook), I do cover the other modes.

I mainly share concerns that Jay mentioned. 

>> What are the components and services that RestEasy would aim to deliver
>> What would be reusability of this work?
> I've already spelled it out.  I want a AS plugin, an auth server, and a 
> cloud service with SaaS capability.  It would be a separate project from 
> Resteasy and would probably leverage it and Picketlink as needed.  Is 
> there an existing IDM server project I can build off from or contribute 
> to?  It is very unclear to me a) what you guys are working on b) what is 
> available c) the direction of Picketlink, etc.

What do you mean by AS plugin? How does it relates to subsystem and work that Darran is driving?

I'm interested to see authentication capabilities (even full OAuth support) as part of PL Subsystem in AS.

For general PL Roadmap I will leave reply to Anil.

Around cloud, authentication and social I described  you in which direction my team is looking. It was in email sent 2 weeks ago. I hoped for a reply. 

Again, if email failed we can try a call next week and I hope we can agree on how to proceed together. I suggest to take step back a bit and look at requirements and not which project is going to drive the implementation 

We need to also have more detailed discussions about provided components and their exact functionality. Then we could agree together which parts should happen in PL land and which should be shared and abstracted. 

> As for *reusability* of this work...I'm really not interested in doing 
> this project just for the sake of doing it.  If there is going to be 
> competing work in our BU, then, I'm not going to do this project.  Yes, 
> I plan to have separate maven modules for different types of 
> functionality that can be reused. i.e. components like JWT.

It is great to hear. On my side I'm really against duplicating work. I think discussions that we had on this list in past few weeks are best proof. Instead of just hacking something around on our own we invested our time to help with subsystem work. Did you share with Pedro your needs around AS, server and authentication parts?

I repeated it many times already - as a cofounder of PL IDM 1.x I'm especially interested in seeing wide adoption of PicketLink. Cross project collaboration is key here and I hope we won't loose this opportunity.

>> If PicketLink is just internally consumed component by RestEasy aimed to
>> only handle storage it doesn't sound very appealing to us.
> The current stuff I already have in Resteasy (linked earlier) delegates 
> to Picketlink's legacy LoginModule infrastructure to perform auth.  Its 
> also limited because it can't get at any other metadata other than 
> principal and roll mappings.  Would be cool to be able to generate more 
> complex tokens, add support for OAuth scope, things like that. 
> Impossible without being able to pull information from a real identity 
> repository.
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list