Re: [aerogear-dev] Node.js / Passport.js thoughts (was: Re: OAuth2, OpenID connect and AeroGear)

As a learning exercise I just wrote a MEAN application with both web and mobile (cordova) front-ends. The Node.js backend is using passport.js to both authenticate against Gooale's Oauth2 and to secure the REST API I implemented with Express. I should be able to spare some cycles if you could use some extra hands on this. Brian On 14-10-30 11:21 AM, Lucas Holmquist wrote: On Oct 30, 2014, at 2:20 PM, Matthias Wessendorf <matzew(a)apache.org <javascript:_e(%7B%7D,'cvml','matzew@apache.org');>> wrote: On Thu, Oct 30, 2014 at 7:13 PM, Lucas Holmquist <lholmqui(a)redhat.com <javascript:_e(%7B%7D,'cvml','lholmqui@redhat.com');>> wrote: > > On Oct 30, 2014, at 9:41 AM, Matthias Wessendorf <matzew(a)apache.org > <javascript:_e(%7B%7D,'cvml','matzew@apache.org');>> wrote: > > Hello team! > > On Thu, Oct 9, 2014 at 4:49 AM, Bruno Oliveira <bruno(a)abstractj.org > <javascript:_e(%7B%7D,'cvml','bruno@abstractj.org');>> wrote: > Note: Not only for Keycloak, but also compatible with other technologies > like passport on Node.js. > > Great point on being compatible with passport.js! To ensure our OAuth2 > client SDKs do work against node.js (w/ passport.js), how about we build a > Node.js based version of our "Shoot-n-Share backend" ([1]), that is > protected by Passport.js? > > > So to clear up some confusion that might be happening with what > passport is, it is not an OAuth2 server thing. > > it’s really just middleware(think of it as a servlet filter for you > java weenies) for express.js, and by using adapters(like a FB or google), > it can secure RESTful endpoints in that express.js app. > > I think the thing that we can do here is make a keycloack adapter for > passport, using the OAuth2 protocol( similar to passports FB and google > adapters ); > +1 would be nice to get this in https://issues.jboss.org/browse/AGJS-252 On short term, it would be possible to use their existing adapters for FB/Google and protect the node.js backend with these adapters, right ? i think we can do that Sounds like the AGJS-252 is the ultimate solution we want, but I think for a quick test/verification (or even example) of our Android/iOS OAuth2 clients, using the FB/Google adapters from passprt.js would be a good first start ? -Matthias > > > > > It could be a (simple) a 'clone' of our java version. I think for Luke, > our Node.js pro, it would be a fairly simple task :) > > On the client side, the Android/iOS versions of Shoot-n-Share would > simply offer a new upload target for Passport.js, instead of 'just' FB, > Google-Drive and Keycloak. > > That way we will also learn how much Passport.js is actually different, > similar to what we learned on how Google/FB are different ;-) > > Another interesting aspect of this is that, once we are ready to > release our OAuth2 SDKs, it would be awesome to actually ship a node.js > based demo as well, instead of just a Java-based backend demo. That would > clearly show, our client libs are working across different backend > technologies. > > Any thoughts? > > -Matthias > > > [1] > https://github.com/aerogear/aerogear-backend-cookbook/tree/master/Shoot > > > > >> In the end, OAuth2 is just a protocol and >> should support other servers. >> >> - Should we provide examples for OpenID connect? Or abstractions? >> >> To track this issue, we have the following Jira[3] and another for >> OpenID connect[4]. Fell free to link to your respective project. >> >> >> [1] - >> >> http://transcripts.jboss.org/meeting/irc.freenode.org/aerogear/2014/aerog... >> >> [2] - https://gist.github.com/abstractj/04136c6df85cea5f35d1 >> >> [3] - https://issues.jboss.org/browse/AGSEC-180 >> >> [4] - https://issues.jboss.org/browse/AGSEC-190 >> -- >> >> abstractj >> PGP: 0x84DC9914 >> _______________________________________________ >> aerogear-dev mailing list >> aerogear-dev(a)lists.jboss.org >> <javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');> >> https://lists.jboss.org/mailman/listinfo/aerogear-dev >> > > > > -- > Matthias Wessendorf > > blog: http://matthiaswessendorf.wordpress.com/ > sessions: http://www.slideshare.net/mwessendorf > twitter: http://twitter.com/mwessendorf > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > <javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');> > https://lists.jboss.org/mailman/listinfo/aerogear-dev > > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > <javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');> > https://lists.jboss.org/mailman/listinfo/aerogear-dev > -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org <javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');> https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing listaerogear-dev(a)lists.jboss.org <javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');>https://lists.jboss.org/mailman/listinfo/aerogear-dev