[security-dev] New SSO/OAuth2 Project

Bruno Oliveira bruno at abstractj.org
Fri Apr 19 22:04:26 EDT 2013


I think Jay already nailed it.

Count me in.

On Apr 19, 2013, at 6:03 PM, Jay Balunas <jbalunas at redhat.com> wrote:

> 
> On Apr 18, 2013, at 8:57 PM, Bill Burke wrote:
> 
>>>> 
>>>> YOu need to specify what you mean by "server-side application flow
>>>> only".  OAuth from a client perspective (thirdparty or user agent) is
>>>> really very simple.  Its just a matter of the client of obtaining a
>>>> token and transmitting it via a bearer token header.  The code I
>>>> currently ship with resteasy has an auth server, oauth thirdparty, and
>>>> user examples.  So, while I dont' cover every flow type in OAuth
>>>> (specifically the "implicit" model as it is very insecure (see
>>>> Facebook), I do cover the other modes.
>>> 
>>> I mainly share concerns that Jay mentioned.
>> 
>> I've asked multiple times for clarification on what "mobile" security 
>> means.  Especially since our mobile solution seems to be grounded in 
>> HTML 5 and HTTP requests.
> 
> 
> Lets plan to have a meeting to discuss all of this.  Bruno and I can certainly discuss all of our current plans around mobile and security.  Securing HTTP endpoints is certainly a big part of it.  We're not just focused on HTML5 however.  AeroGear have iOS, Android, and JS client SDKs.  We're also very interested in the IDM support for things like the push server msgs, and data sync.  and have a good OTP solution.  
> 
> More mobile focused security items are around encrypted local storage (native/web/hybrid), offline authentication options, device based auth*, and more...
> 
> One big hole is the OAuth type integration, and we are more than happy to work with who ever is pushing this through.  
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev



More information about the security-dev mailing list