[security-dev] New SSO/OAuth2 Project

[Bill Burke]

Hey all,

Mark Little approached me about starting a new project to provide an 
SSO/OAuth2 solution for browser apps and RESTful web services.  We've 
gotten some buy-in/signoff from Anil, but I'd like to get buy-in/signoff 
from Boleslaw especially and the rest of you.

The idea is to provide an integrated SSO/OAuth2 solution for browser 
apps and RESTful web services that can be used as a plugin for AS, a 
standalone auth server, a cloud auth server, and/or a cloud SaaS.  The 
end product being something hosted on OpenShift and usable by anybody.

I've started a requirements document and really need help rounding it out:

https://community.jboss.org/wiki/ResteasySkeletonKeyWebSSOOAuth

I also need help on the division of labor, if any with the Picketlink 
team, or any individual on this team.  I'm fine doing all the work, 
delegating pieces to individuals, and/or reusing parts of Picketlink. 
What should the division of labor be?  My first thought is that I'd 
build the service wholly or partially on the IDM API you all have been 
working on.  That way you guys could focus on storage and federation 
(i.e. with LDAP, et. al.) and I could focus on UI, service, and protocol 
aspects.

Also, as most of you already know.  I've already done a ton of work so far:

http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html

Previously I had also even started prototyping a cloudable IDP service 
using Infinispan as a backend store.

https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-key-idm/skeleton-key-idp

When the project is started, I'll be creating a new github project.  I'd 
like to name the project "Resteasy Skeleton Key" or "Picketlink Skeleton 
Key".

Thoughts?  Concerns?  Ideas? Insults? Whines? Cheers? Trash Talk? Once 
things get moving we'll also be talking to PM and the Cloud BU.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com