[security-dev] New SSO/OAuth2 Project

Bill Burke bburke at redhat.com
Thu Apr 18 20:57:48 EDT 2013

On 4/18/2013 5:21 PM, Boleslaw Dawidowicz wrote:
> On Apr 18, 2013, at 9:38 PM, Bill Burke <bburke at redhat.com> wrote:
>> On 4/18/2013 11:52 AM, Bolesław Dawidowicz wrote:
>>> Ok, but first of all I would like to understand better where Bill is
>>> aiming and what does he want to cover. From the requirements it looks
>>> like everything tbh
>> Boleslaw.  I told Markthat I didn't want to do this without signoff from
>> both Anil and *YOU*.  As Anil said, I've been working on OAuth2/REStful
>> IDM for awhile now (Since September 2012) in some form or another and
>> already have something being used by people. Resteasy has also had
>> rudimentary OAuth1 support for years now.  But, I don't want to compete
>> with another JBoss project.  To some degree, I don't want to step on any
>> toes either, but I also want something usable!
> I know your involvement in exploring OAuth and respect it. We were quite counting on reusing your work. Especially example that you shared in January was very interesting.
> I was mainly shocked with scope of your email as it announced whole new huge identity related project out of the sudden. A lot from your listed requirements I was expecting to see as part of PicketLink. I have also sent you email two weeks ego describing in which direction my team is looking at in quite detailed way - without reply. Therefore I assume you know and understand while I'm puzzled here.

The list of requirements I provided was for the final SSO/OAuth 
solution.  It was something I just put together and was hoping for 
input.  Whether it is able to use Picketlink or not I was hoping you'd 
help answer.

>> It seemed to me that you guys were already extremely busy with the IDM
>> API, AS8 security SPI/AP rework, and all the other WS-*/Oasis specs.  I
>> saw Anil's hacked together, zero functionality IDP UI on OpenShift.  It
>> was clear he was busy with other things.  You go to the Picketlink
>> webpage and it looks nothing like a solution.  Links to incomplete
>> projects, unreleased code, incomplete requirements documents.
>> What do you think should be done by this new project vs. Picketlink?  I
>> thought I would build something on top of:
>> http://www.jboss.org/picketlink/IDM.html
>> Isn't that your project Boleslaw?  Your IDM project isn't a good enough
>> division of labor/SPI between the two projects?  You guys are already
>> doing this?  Or just planned on doing this?
> I'm not really sure why are you referring to IDM in this way…

I think you are misunderstanding me. I'm saying, isn't the IDM project 
something an auth server/SaaS could be built on?  Specifically: "an 
object model for managing Identities (Users/Groups/Roles) and associated 
behavior using different identity store backends like LDAP and RDBMS." 
(from picketlink front page).

> PicketLink IDM was founded by me and Anil few years ago. 1.x failed to take off and I described the context too many times already to repeat it. I have done my best to contribute experience from the past into new PicketLink initiative that ended with current 3.x work that is happening here.
> Seeing all great work provided by Anil, Shane, Pedro, Bruno and others in recent months I find reference to "incomplete projects, unreleased code, incomplete requirements documents." quite unfair.
> There was a lot of feedback provided by many camps into requirements for PicketLink. Just to name JDF, AeroGear or Portal. I could dig out what you have replied me when I asked you to contribute to requirement document but I don't think it is worth my time and won't help this discussion. At some point I invested significant time to get different people involved and aware about new activity in PicketLink. Therefore in fairness you shouldn't bash this project like that if you ignored the opportunity to bring in your requirements.

I have participated somewhat in your requirements discussions.

>>> We are very interested for example to have full OAuth2 support (server
>>> side) in PL - even in subsystem. Better with whole SCIM implementation
>>> and handy REST endpoints. So if this could be provided by Bill I'm more
>>> then happy to benefit from his project in our identity related components.
>> SCIM is interesting for identity management, not so interesting or
>> needed for auth or even app development.
> I admit SCIM is very simple but on this side as a standard REST API I find it pretty interesting

I'm saying its good for managing user information from a REST 
perspective, but orthogonal to implementing an auth protocol.  If I'm 
wrong, please speak up.

>>> I'm also interested to learn if Bill is aiming to cover full OAuth2 spec
>>> in his implementation or only server side application flow. Because
>>> otherwise it will be hard to reuse on our side and I imagine it will be
>>> similar for AeroGear as well.
>> YOu need to specify what you mean by "server-side application flow
>> only".  OAuth from a client perspective (thirdparty or user agent) is
>> really very simple.  Its just a matter of the client of obtaining a
>> token and transmitting it via a bearer token header.  The code I
>> currently ship with resteasy has an auth server, oauth thirdparty, and
>> user examples.  So, while I dont' cover every flow type in OAuth
>> (specifically the "implicit" model as it is very insecure (see
>> Facebook), I do cover the other modes.
> I mainly share concerns that Jay mentioned.

I've asked multiple times for clarification on what "mobile" security 
means.  Especially since our mobile solution seems to be grounded in 
HTML 5 and HTTP requests.

>>> What are the components and services that RestEasy would aim to deliver
>>> What would be reusability of this work?
>> I've already spelled it out.  I want a AS plugin, an auth server, and a
>> cloud service with SaaS capability.  It would be a separate project from
>> Resteasy and would probably leverage it and Picketlink as needed.  Is
>> there an existing IDM server project I can build off from or contribute
>> to?  It is very unclear to me a) what you guys are working on b) what is
>> available c) the direction of Picketlink, etc.
> What do you mean by AS plugin? How does it relates to subsystem and work that Darran is driving?

What is Darran driving?  I'm not exactly sure...(and how am I supposed 
to know?)

By AS plugin I mean something like I currently have in my OAuth2 + AS7 
integration.  Its a valve delegating to the JbossWeb security model. 
The new plugin would use the new Undertow valve or security model to 
implement the protocol and delegate to the Picketlink IDM API.

By Auth Server, its a packaged pre-configured service that just runs and 
provides authentication capabilities, SSO, OAuth for browser/RESTful web 

By SaaS, its a service that provides auth services for multiple 
different organizations.

> I'm interested to see authentication capabilities (even full OAuth support) as part of PL Subsystem in AS.

Resteasy has needed a real OAuth solution with a real IDM backbone for 
year and years.  Until Resteasy's OAuth2 work in January, users were 
stuck with basic Servlet security.  What am I supposed to do?

> For general PL Roadmap I will leave reply to Anil.
> Around cloud, authentication and social I described  you in which direction my team is looking. It was in email sent 2 weeks ago. I hoped for a reply.

I missed that.  I'll go look.

> Again, if email failed we can try a call next week and I hope we can agree on how to proceed together. I suggest to take step back a bit and look at requirements and not which project is going to drive the implementation
> We need to also have more detailed discussions about provided components and their exact functionality. Then we could agree together which parts should happen in PL land and which should be shared and abstracted.
>> As for *reusability* of this work...I'm really not interested in doing
>> this project just for the sake of doing it.  If there is going to be
>> competing work in our BU, then, I'm not going to do this project.  Yes,
>> I plan to have separate maven modules for different types of
>> functionality that can be reused. i.e. components like JWT.
> It is great to hear. On my side I'm really against duplicating work. I think discussions that we had on this list in past few weeks are best proof. Instead of just hacking something around on our own we invested our time to help with subsystem work. Did you share with Pedro your needs around AS, server and authentication parts?

I also have other work besides security that I do, but haven't I 
participated numerous times on this list of what I want to do, what 
requirements I have, what I've been doing, what vision I have?

> I repeated it many times already - as a cofounder of PL IDM 1.x I'm especially interested in seeing wide adoption of PicketLink. Cross project collaboration is key here and I hope we won't loose this opportunity.

You guys seem stretched too thin with dealing with the WS-*/Oasis 
monster, constant requests from support and sales to integrate with some 
third-party security api or protocol, the new internal security API for 
Undertow and AS8, and replacing the legacy LoginModule mess with a real 
identity repository.  I'm just not confident you have the cycles to 
provide a solution of which I'm proposing.  This is why I've volunteered 
to step up to the plate and drive it.

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list