[jboss-jira] [JBoss JIRA] (WFLY-13732) Review current support for OAuth2
Darran Lofthouse (Jira)
issues at jboss.org
Mon Aug 3 10:08:01 EDT 2020
Darran Lofthouse created WFLY-13732:
---------------------------------------
Summary: Review current support for OAuth2
Key: WFLY-13732
URL: https://issues.redhat.com/browse/WFLY-13732
Project: WildFly
Issue Type: Task
Components: Security
Reporter: Darran Lofthouse
We presently have support for OAuth2 within our SASL authentication mechanisms to enable tools such as the CLI to make use of an authorization server to obtain an access token.
We should review what else is presently available for OAuth2 for applications within the application server and what we should be doing, especially in the context of confidential clients.
Our implementation of a Bearer HTTP authentication mechanism does challenge but I don't believe all do so to avoid round trips, additionally additional information may be required such as which authorization server to contact and names of relevant scopes etc..
Can anything be done to automate the redirection to the client if required?
How about storage of tokens, either access or refresh tokens? What do they relate to?
For a client credentials grant should the tokens be stored in possibly the credential store? But maybe they relate to a single application only.
For the resource owner grants do they live just within a session? Could they be associated with the current SecurityIdentity for future use.
Overall this task is to understand where we are and where we could go.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list