[security-dev] Resteasy 3.0-beta-2 released with OAuth2 support
Bill Burke
bburke at redhat.com
Tue Feb 19 13:11:27 EST 2013
BTW, once Picketlink IDM API is ready, there's a lot more cool stuff
that could be done around this as additional metadata could be
specified. I'd also really like to contribute to your IDP Server to
support various OAuth protocols and configurations.
On 2/19/2013 12:36 PM, Bill Burke wrote:
> I don't have support for:
> * Implicit
> * Resource Owner Password Credentials Grant
>
> It only supports Access Code and Client Credentials Grants. For good
> reason...
>
> "Implicit" is an optimization for *public*, insecure clients and not a
> protocol that should be promoted or supported by Resteasy or Picketlink,
> IMO.
>
> The Resteasy's "Client Credentials Grant" generates a token for *ANY*
> authenticated user, be it client or resource owner. So, it could take
> the place of "Resource Owner Password Credentials Grant". I could
> implement the "Resource Owner Password Credentials Grant" protocol very
> easily if required, but I just don't see the need for it right now.
>
>
>
> On 2/19/2013 11:55 AM, Anil Saldhana wrote:
>> Bill,
>> I am unsure the RESTEasy Oauth support has all the grant types:
>> https://docs.jboss.org/author/display/PLINK/OAuth+Theory
>>
>> I am looking here:
>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/resteasy-oauth/src/main/java/org/jboss/resteasy/auth/oauth
>>
>> Regards,
>> Anil
>>
>>
>> On 01/25/2013 08:21 AM, Bill Burke wrote:
>>> I need to write up how it works too. I extended OAuth2 a tiny bit as
>>> well as JWT. If you check out the code, you'll also see I started on an
>>> IDP. If Picklink is ready, I could start implementing on top of it
>>> and/or contribute to the current effort you have on openshift. Let me
>>> know.
>>>
>>> The current release's experience is a bit limited because you're lacking
>>> extra metadata that our own IDP could provide.
>>>
>>> My current vision on oauth clients is:
>>>
>>> * THey must be registered
>>> * They are granted oauth and/or login permissions
>>> * If they are only granted oauth permissions, they must also have the
>>> set of roles that they are allowed to obtain from a user
>>>
>>> Code:
>>>
>>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-key-idm
>>>
>>> On 1/24/2013 7:24 PM, Anil Saldhana wrote:
>>>> Fabulous news. Will provide feedback.
>>>>
>>>> On Jan 24, 2013, at 4:43 PM, Bill Burke <bburke at redhat.com> wrote:
>>>>
>>>>> http://bill.burkecentral.com/2013/01/24/resteasy-3-0-beta-2-released-with-new-oauth-2-0-features/
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> security-dev mailing list
>>>>> security-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list