Re: [security-dev] New SSO/OAuth2 Project
On Apr 18, 2013, at 8:57 PM, Bill Burke wrote:
>>
>> YOu need to specify what you mean by "server-side application flow
>> only". OAuth from a client perspective (thirdparty or user agent) is
>> really very simple. Its just a matter of the client of obtaining a
>> token and transmitting it via a bearer token header. The code I
>> currently ship with resteasy has an auth server, oauth thirdparty, and
>> user examples. So, while I dont' cover every flow type in OAuth
>> (specifically the "implicit" model as it is very insecure (see
>> Facebook), I do cover the other modes.
>
> I mainly share concerns that Jay mentioned.
>
I've asked multiple times for clarification on what "mobile" security
means. Especially since our mobile solution seems to be grounded in
HTML 5 and HTTP requests.
Lets plan to have a meeting to discuss all of this. Bruno and I can certainly discuss all
of our current plans around mobile and security. Securing HTTP endpoints is certainly a
big part of it. We're not just focused on HTML5 however. AeroGear have iOS, Android,
and JS client SDKs. We're also very interested in the IDM support for things like the
push server msgs, and data sync. and have a good OTP solution.
More mobile focused security items are around encrypted local storage (native/web/hybrid),
offline authentication options, device based auth*, and more...
One big hole is the OAuth type integration, and we are more than happy to work with who
ever is pushing this through.