[security-dev] Resteasy 3.0-beta-2 released with OAuth2 support

Bill Burke bburke at redhat.com
Tue Feb 19 12:36:37 EST 2013 

I don't have support for:
* Implicit
* Resource Owner Password Credentials Grant

It only supports Access Code and Client Credentials Grants.  For good 
reason...

"Implicit" is an optimization for *public*, insecure clients and not a 
protocol that should be promoted or supported by Resteasy or Picketlink, 
IMO.

The Resteasy's "Client Credentials Grant" generates a token for *ANY* 
authenticated user, be it client or resource owner.  So, it could take 
the place of "Resource Owner Password Credentials Grant".  I could 
implement the "Resource Owner Password Credentials Grant" protocol very 
easily if required, but I just don't see the need for it right now.



On 2/19/2013 11:55 AM, Anil Saldhana wrote:
> Bill,
>     I am unsure the RESTEasy Oauth support has all the grant types:
> https://docs.jboss.org/author/display/PLINK/OAuth+Theory
>
> I am looking here:
> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/resteasy-oauth/src/main/java/org/jboss/resteasy/auth/oauth
>
> Regards,
> Anil
>
>
> On 01/25/2013 08:21 AM, Bill Burke wrote:
>> I need to write up how it works too.  I extended OAuth2 a tiny bit as
>> well as JWT.  If you check out the code, you'll also see I started on an
>> IDP.  If Picklink is ready, I could start implementing on top of it
>> and/or contribute to the current effort you have on openshift.  Let me
>> know.
>>
>> The current release's experience is a bit limited because you're lacking
>> extra metadata that our own IDP could provide.
>>
>> My current vision on oauth clients is:
>>
>> * THey must be registered
>> * They are granted oauth and/or login permissions
>> * If they are only granted oauth permissions, they must also have the
>> set of roles that they are allowed to obtain from a user
>>
>> Code:
>>
>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-key-idm
>>
>> On 1/24/2013 7:24 PM, Anil Saldhana wrote:
>>> Fabulous news. Will provide feedback.
>>>
>>> On Jan 24, 2013, at 4:43 PM, Bill Burke <bburke at redhat.com> wrote:
>>>
>>>> http://bill.burkecentral.com/2013/01/24/resteasy-3-0-beta-2-released-with-new-oauth-2-0-features/
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> security-dev mailing list
>>>> security-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the security-dev mailing list