[security-dev] Resteasy 3.0-beta-2 released with OAuth2 support

Bill Burke bburke at redhat.com
Tue Feb 19 13:11:27 EST 2013 

BTW, once Picketlink IDM API is ready, there's a lot more cool stuff 
that could be done around this as additional metadata could be 
specified.  I'd also really like to contribute to your IDP Server to 
support various OAuth protocols and configurations.

On 2/19/2013 12:36 PM, Bill Burke wrote:
> I don't have support for:
> * Implicit
> * Resource Owner Password Credentials Grant
>
> It only supports Access Code and Client Credentials Grants.  For good
> reason...
>
> "Implicit" is an optimization for *public*, insecure clients and not a
> protocol that should be promoted or supported by Resteasy or Picketlink,
> IMO.
>
> The Resteasy's "Client Credentials Grant" generates a token for *ANY*
> authenticated user, be it client or resource owner.  So, it could take
> the place of "Resource Owner Password Credentials Grant".  I could
> implement the "Resource Owner Password Credentials Grant" protocol very
> easily if required, but I just don't see the need for it right now.
>
>
>
> On 2/19/2013 11:55 AM, Anil Saldhana wrote:
>> Bill,
>>      I am unsure the RESTEasy Oauth support has all the grant types:
>> https://docs.jboss.org/author/display/PLINK/OAuth+Theory
>>
>> I am looking here:
>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/resteasy-oauth/src/main/java/org/jboss/resteasy/auth/oauth
>>
>> Regards,
>> Anil
>>
>>
>> On 01/25/2013 08:21 AM, Bill Burke wrote:
>>> I need to write up how it works too.  I extended OAuth2 a tiny bit as
>>> well as JWT.  If you check out the code, you'll also see I started on an
>>> IDP.  If Picklink is ready, I could start implementing on top of it
>>> and/or contribute to the current effort you have on openshift.  Let me
>>> know.
>>>
>>> The current release's experience is a bit limited because you're lacking
>>> extra metadata that our own IDP could provide.
>>>
>>> My current vision on oauth clients is:
>>>
>>> * THey must be registered
>>> * They are granted oauth and/or login permissions
>>> * If they are only granted oauth permissions, they must also have the
>>> set of roles that they are allowed to obtain from a user
>>>
>>> Code:
>>>
>>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-key-idm
>>>
>>> On 1/24/2013 7:24 PM, Anil Saldhana wrote:
>>>> Fabulous news. Will provide feedback.
>>>>
>>>> On Jan 24, 2013, at 4:43 PM, Bill Burke <bburke at redhat.com> wrote:
>>>>
>>>>> http://bill.burkecentral.com/2013/01/24/resteasy-3-0-beta-2-released-with-new-oauth-2-0-features/
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> security-dev mailing list
>>>>> security-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the security-dev mailing list