cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: OAuth client and server demos
Date Wed, 18 Aug 2010 13:17:39 GMT
Hi Łukasz

2010/8/16 Łukasz Moreń <lukasz.moren@gmail.com>

> Hi,
>
> I've made changes in demo according to your comments.
>

thanks.


> I will do 'gsoc' tag on my branch to distinguish current gsoc work from
> future changes, as today is 'firm pencil down' date.
>
> ok.


> I would like to do additional changes in oauth module.
>

nice :-).


> Access token should be connected with some kind of 'scope' that specifies
> a range of  resources it allows to access or operations to invoke.
>
> For example in RestEasy implementation access token is associated with set
> of principal roles.
> If there is valid access token in the request, oauth filter set user roles
> associated with token to ServletRequest and let pass it further.
>
> I'm wondering how it can be done in cxf. I would appreciate some help on
> that.
>
>
Believe it or not but I've changed all that as part of the work I've been
doing recently.
Specifically, I've removed the association of roles & principal with access
tokens.
Instead I've introduced permissions which is really what can be requested by
a consumer and publicly
shown to the end user, example, "Are you ok with letting 3rd party consumer
"doSomething" with your resources" ?. where "doSometing" can be pretty much
any expression like "updateYourAlbom", etc, while roles could be "user",
etc.

It is then a job of filters/login modules/etc to convert permissions into
the actual roles, as well as retrieve an authenticated Principal.

I've also added "scopes" which are URIs, which I 'borrowed' from the Google
docs. Example, a consumer may request a permission to "doSomething" at
http://bar. If authorized it can access http://bar, http://bar/1,
http://bar/2

Does it help ? Any comments ?

cheers, Sergey


Cheers,
> Lukasz
>
> 2010/8/14 Łukasz Moreń <lukasz.moren@gmail.com>
>
> > Hi Sergey,
> >
> > Thanks for feedback. More comments below.
> >
> > 2010/8/13 Sergey Beryozkin <sberyozkin@gmail.com>
> >
> >> Hi Lucasz
> >>
> >>
> >> 2010/8/13 Łukasz Moreń <lukasz.moren@gmail.com>
> >>
> >> > Hi Sergey,
> >> >
> >> > I've added some improvements to demo and protocol implementation.
> >> > I hope this time build will be fine.
> >> >
> >> >
> >> I've had no problems building this time. Thanks for sorting the build
> >> issues
> >> out.
> >> The only minor hitch is that I had to add
> >> <relativePath>../../pom.xml</relativePath>
> >> to both oauth client & server demo modules in order to build them. Not
> >> sure
> >> if I could've built them by running
> >> 'mvn install' from  samples directly (in
> distribution/target/.../samples)
> >> given that we also have to use -Pspring3. Not a big issue - please
> recheck
> >> just in case...
> >>
> >
> > Yes, I think I need to add relativePath to pom.
> >
> >
> >>
> >> So I've started server and client web apps and run the demo easily. So
> >> it's
> >> all nearly there, and IMHO the project is in a good shape, as far as
> GSOC
> >> is
> >> concerned. Hopefully you can continue on preparing it to the move to the
> >> trunk :-)
> >>
> >> Here're some comments to the existing demo - see if you could do
> anything
> >> till 16th, if not then it can be dealt with later on.
> >>
> >>
> > I will try do to as much as possible till 16-th. There is still plenty to
> > do as I see from your commnets and
> > myself so missing things I will add later.
> >
> >
> >
> >> The client registration form requires a user to register a callback URI.
> >> But
> >> I understand that a callback URI is only provided by a client, when
> >> requesting a temp/request token ? That said, requiring what I'd call a
> >> 'connect' or "reply-to" URI registered during the (secure) client
> >> registration process may help with enforcing that the actual callback
> URI
> >> provided by the client *matches* the one provided at the registration,
> >> using
> >> a startsWith function. I've seen it in the Facebook docs and I also did
> >> something similar in my own project - is this the idea ?
> >>
> > If yes - then please check it's a startsWith check that is used - but
> also
> >
> > consider making providing a callback URI optional at the client
> >> registration
> >
> > time
> >
> >
> > Yes, i used it for that reason. It can be jus passed with request token
> > request. All current OAuth 1.0 servers I've seen need to preregister
> > callback URI,
> > and as you said they check if both uri matches.
> > There is also possibility to pass 'oob' (out of band) value as callback
> URI
> > which means has been established via other means,
> > so then server use preregistered value. However I think this option is
> used
> > in case of native apps.
> >  .
> >
> >> The other thing is that a client key is also generated. This is probably
> >> correct but I'm wondering would it make sense to let the consumer
> register
> >> its own key but the authorization server to only generate the shared
> >> secret.
> >> Consumer might also want to optionally provide its description such as
> >> "OAuth 1.0 client" as in the demo, etc.  This might make it a bit
> simpler
> >> for a client (i.e, it will only have to manage a shared secret).
> >>
> >
> > Yes I think it makes sense. So far consumer key is just hash from
> > application name and user who registers consumer.
> >
> >
> >
> >> In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0 like
> >> thing where HTTPS is assumed ? I'd just consider removing this option
> and
> >> have only hmac-sha1 left.
> >>
> >
> > I think it's something similar, however there is no signatures in OAuth
> 2.0
> > and  access_token is assumed to be short lived,
> > ideally one per request, issuing new tokens is done by refresh_token
> > parameter.
> >
> >
> >> This is probably it so far. I'm not very excited about JSPs being used
> in
> >> the demo :-) but I guess it is not too bad and shows something that many
> >> people would consider doing in practice.
> >>
> >
> > I was not sure about using JSP's neither:), but I wanted to show
> basically
> > how oauth could be added to existing apps
> >  and hadn't other idea how to replace them.
> >
> >
> >>
> >> Overall it is a really good effort toward helping CXF users to
> >> start/experiment with OAuth.
> >>
> >
> >
> > Cheers,
> > Lukasz
> >
> >
> >
> >>
> >> Thanks
> >>
> >> Sergey
> >>
> >>
> >> Cheers,
> >> > Lukasz
> >> >
> >> > 2010/8/13 Sergey Beryozkin <sberyozkin@gmail.com>
> >> >
> >> > > Hi Łukasz
> >> > >
> >> > > I can see the merges flowing :-), I'll be reviewing your work
> tonight;
> >> > >
> >> > > to the list : we've exchanged few private emails to do with build
> >> issues
> >> > I
> >> > > was encountering and Łukasz
> >> > >  addressed them fast; we also agreed that for the initial phase
> making
> >> a
> >> > > demo easy to understand and build upon was the main goal...
> >> > >
> >> > > cheers, Sergey
> >> > >
> >> > > 2010/8/5 Sergey Beryozkin <sberyozkin@gmail.com>
> >> > >
> >> > > > Hi Łukasz
> >> > > >
> >> > > > can you please fix checkstyle errors in the demo...
> >> > > > Re the callback uri : I think one of the providers on the server
> is
> >> > > > configured with the callback URI
> >> > > >
> >> > > > thanks, Sergey
> >> > > >
> >> > > >
> >> > > > 2010/8/2 Łukasz Moreń <lukasz.moren@gmail.com>
> >> > > >
> >> > > > >
> >> > > >> > Please update the demo so that the consume
> >> > > >>
> >> > > >> registers itself, plus supplies a callback itself with a
request
> >> token
> >> > > >> >  request
> >> > > >>
> >> > > >>
> >> > > >> callback url is passed in this request, however this request
is
> >> done
> >> > in
> >> > > >> backend through URLConnection so it's not visible at UI.
> >> > > >>
> >> > > >> Cheers, Lukasz
> >> > > >>
> >> > > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
> >> > > >> lukasz.moren@gmail.com
> >> > > >> > napisał:
> >> > > >>
> >> > > >> > Hi,
> >> > > >> > I've committed changes I've made:
> >> > > >> > - added possibility to register new OAuth client applications
> at
> >> > OAuth
> >> > > >> > server
> >> > > >> > - OAuth demos moved to distribution\src\main\samples\
> >> > > >> > - added README to OAuth demos
> >> > > >> > - fixes in pom.xml files
> >> > > >> >
> >> > > >> >  - fix the checkstyle errors and move the demo to the
> >> > > >> >
> >> > > >> > ""distribution/src/main/release/samples/"" area and
also add
> >> Readme;
> >> > > >> after
> >> > > >> >
> >> > > >> > building the distribution (mvn install in trunk/distribution)
> you
> >> > can
> >> > > >> >> easily
> >> > > >> >
> >> > > >> > verify the demo can be run by locating in the target.
> >> > > >> >
> >> > > >> >
> >> > > >> > fixed that, and added readme
> >> > > >> >
> >> > > >> >
> >> > > >> >> - add the oauth dependency in the parent pom so
that the
> >> rs/oauth
> >> > > >> module
> >> > > >> >> can
> >> > > >> >
> >> > > >> > depend on it without specifying a version and have the
demo
> >> client
> >> > > >> module
> >> > > >> >
> >> > > >> > depending on rt/rs/oauth module instead (similarly to
the
> server
> >> > one)
> >> > > >> >
> >> > > >> >
> >> > > >> > done, hovewer demo client don't need to depend on rt/rs/oauth
> as
> >> it
> >> > > >> doesn't
> >> > > >> > use cxf functionality, just on oauth libraries
> >> > > >> >
> >> > > >> >
> >> > > >> >> - during the main build please use the Spring version
CXF
> >> depends
> >> > > upon
> >> > > >> and
> >> > > >> >
> >> > > >> > use its -Pspring3 profile to build for the deployment
into GAE
> >> > > >> >
> >> > > >> >
> >> > > >> > changed, both client and server demos needs to be build
with
> >> > -Pspring3
> >> > > >> for
> >> > > >> > local jetty run and GAE as well.
> >> > > >> > Otherwise I would need use different spring config files
for
> >> spring
> >> > > 2.5
> >> > > >> and
> >> > > >> > 3.0.x
> >> > > >> >
> >> > > >> > Cheers, Lukasz
> >> > > >> >
> >> > > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin
<
> >> > > >> > sberyozkin@gmail.com> napisał:
> >> > > >> >
> >> > > >> > Hi
> >> > > >> >>
> >> > > >> >> 2010/7/29 Łukasz Moreń <lukasz.moren@gmail.com>
> >> > > >> >>
> >> > > >> >> > Hi,
> >> > > >> >> >
> >> > > >> >> > I'm still working on refactoring and changes
in demo you
> >> > suggested.
> >> > > >> >> > I will likely update it tomorrow.
> >> > > >> >> >
> >> > > >> >> > I'll likely ask for some modifications but
perhaps if you
> >> could
> >> > > start
> >> > > >> >> with
> >> > > >> >> > > updating the demo
> >> > > >> >> >
> >> > > >> >> > such that a consumer initiates its own registration
with the
> >> > OAuth
> >> > > >> >> server.
> >> > > >> >> >
> >> > > >> >> >
> >> > > >> >> > I'm going to put high effort on my GSoC project
next weeks.
> I
> >> > would
> >> > > >> >> really
> >> > > >> >> > appreciate,
> >> > > >> >> > if you would have some more modifications
> requests/directions
> >> > which
> >> > > >> >> project
> >> > > >> >> > should go, as you have limited time next week
> >> > > >> >> > and current changes will not take long.
> >> > > >> >> >
> >> > > >> >> > From what I'm seeing, I need to cover spec
with code,
> simplify
> >> > > >> >> > configuration
> >> > > >> >> > and do more testing.
> >> > > >> >> >
> >> > > >> >> >
> >> > > >> >> I have to sign off now...Please update the demo
so that the
> >> > consumer
> >> > > >> >> registers itself, plus supplies a callback itself
with a
> request
> >> > > token
> >> > > >> >> request, add README and it would let users start
> experimenting.
> >> > IMHO
> >> > > >> the
> >> > > >> >> initial phase can be considered complete once there's
a demo
> >> there
> >> > > >> which
> >> > > >> >> can
> >> > > >> >> show users what they need to do.
> >> > > >> >>
> >> > > >> >> We can then discuss things further
> >> > > >> >>
> >> > > >> >> cheers, Sergey
> >> > > >> >>
> >> > > >> >>
> >> > > >> >>
> >> > > >> >> > Cheers,
> >> > > >> >> > Lukasz
> >> > > >> >> >
> >> > > >> >> > 2010/7/29 Daniel Kulp <dkulp@apache.org>
> >> > > >> >> >
> >> > > >> >> > >
> >> > > >> >> > > You probably just need to change your
deps to:
> >> > > >> >> > >
> >> > > >> >> > > geronimo-servlet_3.0_spec
> >> > > >> >> > >
> >> > > >> >> > >
> >> > > >> >> > > Dan
> >> > > >> >> > >
> >> > > >> >> > >
> >> > > >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey
Beryozkin
> wrote:
> >> > > >> >> > > > Hi Lucasz
> >> > > >> >> > > >
> >> > > >> >> > > > I can't build the oauth sandbox project,
seeing
> >> > > >> >> > > > [ERROR] FATAL ERROR
> >> > > >> >> > > > [INFO]
> >> > > >> >> > > >
> >> > > >> >> >
> >> > > >>
> >> >
> ------------------------------------------------------------------------
> >> > > >> >> > > > [INFO] Error building POM (may not
be this project's
> POM).
> >> > > >> >> > > >
> >> > > >> >> > > >
> >> > > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> >> > > >> >> > > > POM Location:
> >> > > >> >> > > >
> >> > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> >> > > >> >> > > > Validation Messages:
> >> > > >> >> > > >
> >> > > >> >> > > >     [0]  'dependencies.dependency.version'
is missing
> for
> >> > > >> >> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> >> > > >> >> > > >
> >> > > >> >> > > >
> >> > > >> >> > > > Reason: Failed to validate POM for
project
> >> > > >> >> > org.apache.cxf:cxf-rt-rs-oauth
> >> > > >> >> > > > at
> >> > > >> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> >> > > >> >> > > >
> >> > > >> >> > > > so I can not review the latest merge,
sorry. I could've
> >> tried
> >> > > to
> >> > > >> fix
> >> > > >> >> > this
> >> > > >> >> > > > issue but I'm not sure if you're
finished with the
> >> > refactoring
> >> > > >> just
> >> > > >> >> > yet.
> >> > > >> >> > > > I'll be travelling tomorrow and I'll
have some very
> >> limited
> >> > > time
> >> > > >> >> during
> >> > > >> >> > > the
> >> > > >> >> > > > evenings next week but I'll try to
provide some feedback
> >> at
> >> > > least
> >> > > >> >> > > >
> >> > > >> >> > > > cheers, Sergey
> >> > > >> >> > > >
> >> > > >> >> > > >
> >> > > >> >> > > > 2010/7/26 Sergey Beryozkin <sberyozkin@gmail.com>
> >> > > >> >> > > >
> >> > > >> >> > > > > Hi Łukasz
> >> > > >> >> > > > >
> >> > > >> >> > > > > 2010/7/26 Łukasz Moreń <lukasz.moren@gmail.com>
> >> > > >> >> > > > >
> >> > > >> >> > > > > Hi Sergey,
> >> > > >> >> > > > >
> >> > > >> >> > > > >> I'm really sorry for such
commit, I know it shouldn't
> >> > > happen.
> >> > > >> I
> >> > > >> >> > turned
> >> > > >> >> > > > >> off checkstyle as i couldn't
configure it properly on
> >> > > intellij
> >> > > >> >> and
> >> > > >> >> > it
> >> > > >> >> > > > >> was annoying during development.
> >> > > >> >> > > > >> I will apply proper changes
ASAP.
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> no worries at all, I've
broken the real builds with
> >> > > checkstyle
> >> > > >> >> > errors
> >> > > >> >> > > so
> >> > > >> >> > > > >
> >> > > >> >> > > > > many times and it is the CXF
sandbox after :-)
> >> > > >> >> > > > >
> >> > > >> >> > > > >> According to the demo, I
built it as usual web-app,
> if
> >> it
> >> > > >> worked,
> >> > > >> >> > use
> >> > > >> >> > > > >> this same sources to deploy
on GAE.
> >> > > >> >> > > > >> However because of GAE restrictions
it always needs
> >> minor
> >> > > >> changes
> >> > > >> >> > > > >> before deploy, i.e. GAE
can't read configuration
> files
> >> > such
> >> > > >> as:
> >> > > >> >> > > > >> cxf-extension-http.xml
> >> > > >> >> > > > >> from jars, so I copied it
to WEB-INF folder.
> >> > > >> >> > > > >> Commited to svn version
does not depend on GAE SDK
> and
> >> can
> >> > > be
> >> > > >> run
> >> > > >> >> > > > >> locally with jetty:run.
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> Yes, I warned about server
configuration part:). I
> will
> >> > take
> >> > > >> care
> >> > > >> >> to
> >> > > >> >> > > > >> make it simpler.
> >> > > >> >> > > > >
> >> > > >> >> > > > > I do not think it is too complicated
- the
> >> simplification
> >> > can
> >> > > >> be
> >> > > >> >> done
> >> > > >> >> > > > > once the whole flow is sound...
> >> > > >> >> > > > >
> >> > > >> >> > > > >> So far, oauth consumer properties
are hardcoded and
> >> > injected
> >> > > >> into
> >> > > >> >> > > > >> oauth provider, as I think
it is not oauth library
> >> > > >> responsibility
> >> > > >> >> to
> >> > > >> >> > > > >> deal with consumer registration.
> >> > > >> >> > > > >> Hovewer for demo it would
be good to have something
> >> like
> >> > > that.
> >> > > >> I
> >> > > >> >> > would
> >> > > >> >> > > > >> do registration form at
the server as it is done by
> >> > current
> >> > > >> big
> >> > > >> >> > oauth
> >> > > >> >> > > > >> implementations.
> >> > > >> >> > > > >
> >> > > >> >> > > > > I agree that conceptually the
registration of
> consumers
> >> is
> >> > a
> >> > > >> >> separate
> >> > > >> >> > > > > issue. But it is part of the
solution that users will
> be
> >> > > >> >> eventually
> >> > > >> >> > > > > offering so just showing them
that the consumers have
> to
> >> go
> >> > > and
> >> > > >> >> > > register
> >> > > >> >> > > > > themselves with help people
with coming up with some
> >> custom
> >> > > >> >> > > registration
> >> > > >> >> > > > > forms, etc. The registration
does not have to be done
> at
> >> > the
> >> > > >> >> server
> >> > > >> >> > > > > hosting the resource, it is
just important for the
> OAuth
> >> > > >> provider
> >> > > >> >> be
> >> > > >> >> > > > > able to get to the consumer
details. I'm fine with
> >> assuming
> >> > > at
> >> > > >> the
> >> > > >> >> > > > > moment that the registration
handler is collocated
> with
> >> the
> >> > > >> >> > > > > endpoints/providers enforcing
OAuth flow.
> >> > > >> >> > > > >
> >> > > >> >> > > > > But the callback uri which is
being injected at the
> >> moment
> >> > > >> should
> >> > > >> >> go
> >> > > >> >> > > > > anyway given that it is part
of the actual flow,
> >> > > specifically,
> >> > > >> the
> >> > > >> >> > > > > consumer provides it during
the request token request
> >> > > >> >> > > > >
> >> > > >> >> > > > >> Recently I've noticed that
Camel have done oauth
> client
> >> as
> >> > > >> >> well:):
> >> > > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> Thanks much for review,
and hints.
> >> > > >> >> > > > >
> >> > > >> >> > > > > thanks for your effort :-)
> >> > > >> >> > > > >
> >> > > >> >> > > > > Sergey
> >> > > >> >> > > > >
> >> > > >> >> > > > >> Cheers,
> >> > > >> >> > > > >> Lukasz
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> 2010/7/24 Sergey Beryozkin
<sberyozkin@gmail.com>:
> >> > > >> >> > > > >> > Hi Łukasz
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > Sorry for a delay,
 I should've come back earlier
> to
> >> > you.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > I've run the demo hosted
at the app engine and I
> >> think
> >> > > from
> >> > > >> the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> education
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > point of view it is
a good demo and it is handy one
> >> does
> >> > > not
> >> > > >> >> even
> >> > > >> >> > > has
> >> > > >> >> > > > >> > to build anything in
order to try it.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > I've had a problem
building the rt/rs/oauth tests -
> >> > > there's
> >> > > >> a
> >> > > >> >> > bunch
> >> > > >> >> > > of
> >> > > >> >> > > > >> > CheckStyle errors.
Can you please build
> >> > sandbox/oauth_1.0a
> >> > > >> from
> >> > > >> >> > the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> trunk,
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > just do 'mvn install
-Pfastinstall' and then do
> 'mvn
> >> > > >> install'
> >> > > >> >> from
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> rt/rs/ ?
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > One other thing, please
move the demo to
> >> > > >> >> > > > >> > "distribution/src/main/release/samples/"
as well
> add
> >> > > Readme
> >> > > >> to
> >> > > >> >> it.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > Also I can not build
the demo too, the client build
> >> > fails
> >> > > >> with
> >> > > >> >> the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> following
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > dependency missing
> >> > > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > But I'm seeing an oauth
repo in the rt/rs/oauth
> pom,
> >> > have
> >> > > >> you
> >> > > >> >> > built
> >> > > >> >> > > it
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> in
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > the GAE dev environment
?
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > Can you please spend
a bit of time on cleaning the
> >> build
> >> > a
> >> > > >> bit
> >> > > >> >> :
> >> > > >> >> > > > >> > - fix the checkstyle
errors and move the demo to
> the
> >> > > >> >> > > > >> > ""distribution/src/main/release/samples/""
area and
> >> also
> >> > > add
> >> > > >> >> > Readme;
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> after
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > building the distribution
(mvn install in
> >> > > >> trunk/distribution)
> >> > > >> >> you
> >> > > >> >> > > can
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> easily
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > verify the demo can
be run by locating in the
> target.
> >> > > >> >> > > > >> > - add the oauth dependency
in the parent pom so
> that
> >> the
> >> > > >> >> rs/oauth
> >> > > >> >> > > > >> > module
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> can
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > depend on it without
specifying a version and have
> >> the
> >> > > demo
> >> > > >> >> client
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> module
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > depending on rt/rs/oauth
module instead (similarly
> to
> >> > the
> >> > > >> >> server
> >> > > >> >> > > one)
> >> > > >> >> > > > >> > - during the main build
please use the Spring
> version
> >> > CXF
> >> > > >> >> depends
> >> > > >> >> > > upon
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> and
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > use its -Pspring3 profile
to build for the
> deployment
> >> > into
> >> > > >> GAE
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > As far as the demo
is concerned. I looked at the
> >> server
> >> > > part
> >> > > >> >> and
> >> > > >> >> > it
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> looks
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > complicated enough
:-) but I think it makes sense
> to
> >> me.
> >> > > >> I'll
> >> > > >> >> > likely
> >> > > >> >> > > > >> > ask
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> for
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > some modifications
but perhaps if you could start
> >> with
> >> > > >> updating
> >> > > >> >> > the
> >> > > >> >> > > > >> > demo such that a consumer
initiates its own
> >> registration
> >> > > >> with
> >> > > >> >> the
> >> > > >> >> > > > >> > OAuth
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> server :
> >> > > >> >> > > > >> > I can see at the moment
an oauth provider is
> injected
> >> > with
> >> > > >> some
> >> > > >> >> > > sample
> >> > > >> >> > > > >> > consumer properties.
I'm not sure what is the best
> >> way
> >> > to
> >> > > do
> >> > > >> it
> >> > > >> >> :
> >> > > >> >> > > may
> >> > > >> >> > > > >> > be
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > server can return a
registration form or the client
> >> can
> >> > > just
> >> > > >> >> push
> >> > > >> >> > > the
> >> > > >> >> > > > >> > registration info itself.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > Overall I think it
is a good progress indeed
> >> especially
> >> > > >> given
> >> > > >> >> the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> complexity
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > of the whole effort.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > thanks, Sergey
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > On Wed, Jul 14, 2010
at 10:14 PM, Łukasz Moreń <
> >> > > >> >> > > lukasz.moren@gmail.com
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> >wrote:
> >> > > >> >> > > > >> >> Hi all,
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> I have managed
to create two sample OAuth
> >> aplications:
> >> > > >> >> > > > >> >> ordinary OAuth
1.0a client:
> >> > > >> >> http://www.oauthclient.appspot.com
> >> > > >> >> > > > >> >> and authorization
server that uses CXF OAuth
> module:
> >> > > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> Both sample applications
and changes in oauth
> >> library
> >> > are
> >> > > >> >> > commited
> >> > > >> >> > > in
> >> > > >> >> > > > >> >> sandbox.
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> OAuth configuration
in sample authorization server
> >> app
> >> > > >> looks a
> >> > > >> >> > bit
> >> > > >> >> > > > >> >> awfully but I think
most of that can be hidden and
> >> done
> >> > > out
> >> > > >> of
> >> > > >> >> > > band.
> >> > > >> >> > > > >> >> There is still
some areas in specification not
> >> covered
> >> > by
> >> > > >> >> > > > >> >> implementation,
so I would like to take care of
> that
> >> in
> >> > > >> next
> >> > > >> >> > steps.
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> Thanks in advance
for some feedback.
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> Cheers,
> >> > > >> >> > > > >> >> Lukasz
> >> > > >> >> > >
> >> > > >> >> > > --
> >> > > >> >> > > Daniel Kulp
> >> > > >> >> > > dkulp@apache.org
> >> > > >> >> > > http://dankulp.com/blog
> >> > > >> >> > >
> >> > > >> >> >
> >> > > >> >>
> >> > > >> >
> >> > > >> >
> >> > > >>
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message