[security-dev] Resteasy 3.0-beta-2 released with OAuth2 support

Anil Saldhana Anil.Saldhana at redhat.com
Tue Feb 19 21:05:46 EST 2013 

On 02/19/2013 11:36 AM, Bill Burke wrote:
> I don't have support for:
> * Implicit
> * Resource Owner Password Credentials Grant
>
> It only supports Access Code and Client Credentials Grants.  For good
> reason...
>
> "Implicit" is an optimization for *public*, insecure clients and not a
> protocol that should be promoted or supported by Resteasy or Picketlink,
> IMO.
I am unsure if "implicit" usecase implies insecure. All it does is 
avoids the intermediate
authorization code grant step. It is useful for Javascript applications.

>
> The Resteasy's "Client Credentials Grant" generates a token for *ANY*
> authenticated user, be it client or resource owner.  So, it could take
> the place of "Resource Owner Password Credentials Grant".  I could
> implement the "Resource Owner Password Credentials Grant" protocol very
> easily if required, but I just don't see the need for it right now.
It is typically used by mobile apps.  Doing OAuth style interaction in 
native apps is just crazy.
I do not think it is useful for server side hosted apps.

>
>
>
> On 2/19/2013 11:55 AM, Anil Saldhana wrote:
>> Bill,
>>      I am unsure the RESTEasy Oauth support has all the grant types:
>> https://docs.jboss.org/author/display/PLINK/OAuth+Theory
>>
>> I am looking here:
>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/resteasy-oauth/src/main/java/org/jboss/resteasy/auth/oauth
>>
>> Regards,
>> Anil
>>
>>
>> On 01/25/2013 08:21 AM, Bill Burke wrote:
>>> I need to write up how it works too.  I extended OAuth2 a tiny bit as
>>> well as JWT.  If you check out the code, you'll also see I started on an
>>> IDP.  If Picklink is ready, I could start implementing on top of it
>>> and/or contribute to the current effort you have on openshift.  Let me
>>> know.
>>>
>>> The current release's experience is a bit limited because you're lacking
>>> extra metadata that our own IDP could provide.
>>>
>>> My current vision on oauth clients is:
>>>
>>> * THey must be registered
>>> * They are granted oauth and/or login permissions
>>> * If they are only granted oauth permissions, they must also have the
>>> set of roles that they are allowed to obtain from a user
>>>
>>> Code:
>>>
>>> https://github.com/resteasy/Resteasy/tree/master/jaxrs/security/skeleton-key-idm
>>>
>>> On 1/24/2013 7:24 PM, Anil Saldhana wrote:
>>>> Fabulous news. Will provide feedback.
>>>>
>>>> On Jan 24, 2013, at 4:43 PM, Bill Burke <bburke at redhat.com> wrote:
>>>>
>>>>> http://bill.burkecentral.com/2013/01/24/resteasy-3-0-beta-2-released-with-new-oauth-2-0-features/
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com

More information about the security-dev mailing list