cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Łukasz Moreń <lukasz.mo...@gmail.com>
Subject Re: [GSOC] OAuth Resource Owner Authorization implementation
Date Fri, 25 Jun 2010 17:23:42 GMT
Hi,

Just wanted to drop short info my GSoC progress.
I am following yours hints and implementing next OAuth endpoints according
to spec.
I have started also doing demo CXF OAuth server implementation (I deploy it
on gae) that helps me in testing and
show how to use oauth module.
I hope to commit changes next week.

Cheers,
Lukasz

2010/6/22 Sergey Beryozkin <sberyozkin@gmail.com>

> Hi
>
> On Mon, Jun 21, 2010 at 11:20 PM, Łukasz Moreń <lukasz.moren@gmail.com
> >wrote:
>
> > Hi,
> >
> > I'm going to implement the second OAuth endpoint called: Resource Owner
> > Authorization.
> > I will explain briefly this endpoint to make my question more clear.
> >
> > Client (third-party app) make request to mentioned endpoint in order to
> > obtain approval for accessing user (resource owner) resources.
> > example request uri:
> >
> >
> https://www.server-with-cool-pictures.com/authorize?oauth_token=hh5s93j4hdidpola
> >
> > As the response authorization server:
> > 1. requests user (resource owner) to sign in using his username and
> > password,
> > 2. if successful ask user to approve granting client (third-party app)
> > access to protected resources.
> > 3. redirect resource owner to client's callback url with unique
> > verification
> > code (or display it in case callback url is not provided)
> >
> > I am not sure how should this endpoint implementation looks like. It
> > requires UI to authenticate user and confirm third-party app access, so
> > some
> > generic solution is needed.
> > When client make request on Resource Owner Authorization URI with
> > oauth_token I can validate that request and redirect to UI login page.
> > I don't know how after user actions (login and client confirmation), go
> > back
> > to my service and redirect to the client (third-party app) callback url
> > with
> > generated validation code.
> >
> >
> The client starts from redirecting the end user to the Resource Owner
> Authorization (ROA) URI . So the endpoint is dealing with ROA URI is having
> an end user's agent (browser, the client code) awaiting. Now as you said
> the
> end user will need to be presented with a consumer/request token
> authorization form.
>
> This form will need to have a URI pointing back to the server, to yet
> another endpoint, the ROA Confirmation URI so that when the end user
> presses
> OK in his browser the server can get the confirmation. Once the server gets
> the confirmation it will just need to redirect the end user back to the
> consumer, using the callback URI the consumer provided earlier on, I've
> been
> using 303 in my own work but I was looking at the OAuth 2.0 recently and
> they use 302. You can set this status on the JAXRS Response, and Location
> header to the callback URI.
>
> Hope it helps, Sergey
>
>
>
>
> > Any help on that?
> >
> > Cheers,
> > Lukasz Moren
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message