Re: [aerogear-dev] Security on AeroGear
On Tue, Jul 2, 2013 at 11:48 AM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Good morning everyone, I'm planning to include JWS (to add
digital
signatures per mobile application)/JWT (to issue a token at each
transaction or session) support on AeroGear and I was looking at OAuth2
bearer token (which make use of JWT/JWS behind the scenes)
implementation from RESTEasy.
I was reading about how to properly include it and now we have a
decision to make (we because it will affect the way the client side and
security is not an island :). RESTEasy bearer tokens is completely tied
to JBoss
(
http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.htm...
)
and I'm not saying it is a bad thing, but with vert.x, TorqueBox,
Nodej...I'm not sure if it's a good idea.
Well, one of the thing for the Clients libs is that we want to stay backend
agnostic, so yea ... not really a good idea
An example of Bearer Token usage extracted from RFC
(http://tools.ietf.org/html/rfc6750)
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"mF_9.B5f-4.1JqM",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
Pros: RESTEasy team already did it
Cons: The configuration setup might be hard to newcomers (please look at
the documentation
http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.htm...
),
we will be tied to JBoss.
See my previous comment
So, do we have an alternative? Yes. Make use of JWT module only from
RESTEasy and we still can benefit of digital signatures and tokens.
An example of JWT usage extracted from RFC
(http://tools.ietf.org/html/draft-jones-json-web-token-10#page-6)
{
"iss":"joe",
"exp":1300819380,
"http://example.com/is_root":true
}
Pros: Flexibility, we have people already doing it
(https://wiki.mozilla.org/WebAPI/WebPayment). We will make use of
RESTEasy module and do not reinvent the wheel.
Cons: The authorization model must be implemented and adapted to our needs
+1
So what do you think?
ps: SAML is not an option for me now.
--
abstractj
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Attachments:
- attachment.html (text/html — 4.1 KB)