[aerogear-dev] Security on AeroGear
Bruno Oliveira
bruno at abstractj.org
Tue Jul 2 05:48:27 EDT 2013
Good morning everyone, I'm planning to include JWS (to add digital
signatures per mobile application)/JWT (to issue a token at each
transaction or session) support on AeroGear and I was looking at OAuth2
bearer token (which make use of JWT/JWS behind the scenes)
implementation from RESTEasy.
I was reading about how to properly include it and now we have a
decision to make (we because it will affect the way the client side and
security is not an island :). RESTEasy bearer tokens is completely tied
to JBoss
(http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446)
and I'm not saying it is a bad thing, but with vert.x, TorqueBox,
Nodej...I'm not sure if it's a good idea.
An example of Bearer Token usage extracted from RFC
(http://tools.ietf.org/html/rfc6750)
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"mF_9.B5f-4.1JqM",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
Pros: RESTEasy team already did it
Cons: The configuration setup might be hard to newcomers (please look at
the documentation
http://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/oauth2.html#d4e1446),
we will be tied to JBoss.
So, do we have an alternative? Yes. Make use of JWT module only from
RESTEasy and we still can benefit of digital signatures and tokens.
An example of JWT usage extracted from RFC
(http://tools.ietf.org/html/draft-jones-json-web-token-10#page-6)
{
"iss":"joe",
"exp":1300819380,
"http://example.com/is_root":true
}
Pros: Flexibility, we have people already doing it
(https://wiki.mozilla.org/WebAPI/WebPayment). We will make use of
RESTEasy module and do not reinvent the wheel.
Cons: The authorization model must be implemented and adapted to our needs
So what do you think?
ps: SAML is not an option for me now.
--
abstractj
More information about the aerogear-dev
mailing list