[security-dev] New SSO/OAuth2 Project

Jay Balunas jbalunas at redhat.com
Fri Apr 19 17:03:34 EDT 2013

On Apr 18, 2013, at 8:57 PM, Bill Burke wrote:

>>> YOu need to specify what you mean by "server-side application flow
>>> only".  OAuth from a client perspective (thirdparty or user agent) is
>>> really very simple.  Its just a matter of the client of obtaining a
>>> token and transmitting it via a bearer token header.  The code I
>>> currently ship with resteasy has an auth server, oauth thirdparty, and
>>> user examples.  So, while I dont' cover every flow type in OAuth
>>> (specifically the "implicit" model as it is very insecure (see
>>> Facebook), I do cover the other modes.
>> I mainly share concerns that Jay mentioned.
> I've asked multiple times for clarification on what "mobile" security 
> means.  Especially since our mobile solution seems to be grounded in 
> HTML 5 and HTTP requests.

Lets plan to have a meeting to discuss all of this.  Bruno and I can certainly discuss all of our current plans around mobile and security.  Securing HTTP endpoints is certainly a big part of it.  We're not just focused on HTML5 however.  AeroGear have iOS, Android, and JS client SDKs.  We're also very interested in the IDM support for things like the push server msgs, and data sync.  and have a good OTP solution.  

More mobile focused security items are around encrypted local storage (native/web/hybrid), offline authentication options, device based auth*, and more...

One big hole is the OAuth type integration, and we are more than happy to work with who ever is pushing this through.  

More information about the security-dev mailing list