Return-Path: X-Original-To: apmail-cxf-dev-archive@www.apache.org Delivered-To: apmail-cxf-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 38A6B9174 for ; Wed, 22 Feb 2012 17:51:09 +0000 (UTC) Received: (qmail 11899 invoked by uid 500); 22 Feb 2012 17:51:09 -0000 Delivered-To: apmail-cxf-dev-archive@cxf.apache.org Received: (qmail 11717 invoked by uid 500); 22 Feb 2012 17:51:08 -0000 Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list dev@cxf.apache.org Received: (qmail 11704 invoked by uid 99); 22 Feb 2012 17:51:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Feb 2012 17:51:08 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of sberyozkin@gmail.com designates 74.125.82.169 as permitted sender) Received: from [74.125.82.169] (HELO mail-we0-f169.google.com) (74.125.82.169) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Feb 2012 17:51:02 +0000 Received: by wera13 with SMTP id a13so274791wer.0 for ; Wed, 22 Feb 2012 09:50:41 -0800 (PST) Received-SPF: pass (google.com: domain of sberyozkin@gmail.com designates 10.180.99.7 as permitted sender) client-ip=10.180.99.7; Authentication-Results: mr.google.com; spf=pass (google.com: domain of sberyozkin@gmail.com designates 10.180.99.7 as permitted sender) smtp.mail=sberyozkin@gmail.com; dkim=pass header.i=sberyozkin@gmail.com Received: from mr.google.com ([10.180.99.7]) by 10.180.99.7 with SMTP id em7mr37632868wib.7.1329933041708 (num_hops = 1); Wed, 22 Feb 2012 09:50:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=83/m3GEKc0k/IzKj9Dh7tc8+qKp/7/oYs7nkcU0vXdc=; b=VuUrKduHJ+7KSvdqXgyVUmr9M6D4+OOmlg5fjuxFvXBv47qZOIH7Ew1j5yyddzqX67 +xv3oGBkXzRWfxTjd2jY83fvKh4RSj9ZHenINKhCGelHOWL7VrVJYTys4qZ8BQ8vk6uh rbBeKQ+dCFna45R88CLOjQAyJe7eOXbpGw4wQ= Received: by 10.180.99.7 with SMTP id em7mr31165902wib.7.1329933041537; Wed, 22 Feb 2012 09:50:41 -0800 (PST) Received: from [10.36.226.4] ([217.173.99.61]) by mx.google.com with ESMTPS id by3sm30629893wib.3.2012.02.22.09.50.40 (version=SSLv3 cipher=OTHER); Wed, 22 Feb 2012 09:50:40 -0800 (PST) Message-ID: <4F452AF0.8040300@gmail.com> Date: Wed, 22 Feb 2012 17:50:40 +0000 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11 MIME-Version: 1.0 To: CXF Dev Subject: Re: Initial OAuth 2.0 support for CXF 2.6.0 References: <4F428876.6090104@gmail.com> In-Reply-To: <4F428876.6090104@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, I added some initial code here: http://svn.apache.org/viewvc?rev=1292416&view=rev now, the actual refactoring will start next :-). I think this code is not optimal mildly speaking :-), but I think we will tune it pretty quickly by building an authorization code flow demo against it... Cheers, Sergey On 20/02/12 17:52, Sergey Beryozkin wrote: > Hi > > I've started working on the initial OAuth 2.0 support to be available in > CXF 2.6.0 [1]. > > We already provide OAuth 1.0 support starting from CXF 2.5.0 [2] - this > has been continuously enhanced during the last few months and I think it > is capable enough for users seeking to write OAuth 1.0 applications with > CXF to be able to rely upon it. > > However OAuth 2.0 [3], is really going to hit the mainstream IMHO soon > enough and we are already seeing some demand for the OAuth 2.0 support. > Thus I've started prototyping the initial code to do with supporting the > OAuth 2.0 Authorization Code Grant [3] and the simple bearer token [4]; > this combination is the closest to the OAuth 1.0 3-leg flow, further > optimized by dropping the requirement to get a request token round trip. > > I'd like to keep the OAuth 1.0 code in 2.6.0 - there are quite a few > OAuth 1.0 deployments out there and it would not surprise me if some > users wanted to start with OAuth 1.0 gievn that it's well understood. > Besides, despite OAuth 2.0 offering arguably a simpler alternative to > the complete OAuth 1.0 flow, IMHO it is much more complex > specification-wise. So I think we can see OAuth 1.0 being around for > some time... > > The other thing I'd like to mention is the possibility of relying on the > other OAuth 2.0 libraries such as Amber[5]. At the moment Amber has not > been released yet. Personally I'll be open to reusing some of Amber's > code or who knows even contributing back to the project, but at the > moment I think it is simpler to prototype some base support within the > CXF as opposed to trying to build it from the get go on the project code > that has not been released yet. What is also important is that as far as > CXF OAuth is concerned it is all about providing utility JAX-RS OAuth > services with some additional utility support. The main complexity over > time will come from the optional support for MAC or JWT tokens or say > OpenId-Connect profiles. This is where we'd likely need some 'help' from > the 3rd-party libraries. > > > So for now I'm prototyping some code and hope to make the initial bits > contributed in a week or so, may be earlier... > > Comments are welcome > > Sergey > > > [1] https://issues.apache.org/jira/browse/CXF-4112 > [2] http://cxf.apache.org/docs/jax-rs-oauth.html > [3] http://tools.ietf.org/html/draft-ietf-oauth-v2-23 > [4] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17 > [5] http://incubator.apache.org/amber/ -- Sergey Beryozkin Talend Community Coders http://coders.talend.com/ Blog: http://sberyozkin.blogspot.com