oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Sanso <asa...@adobe.com>
Subject Amber's implementation goals/policy
Date Fri, 09 Dec 2011 10:06:57 GMT
Hi *,

I'd have a question/doubt about a Jira ticket I have issued yesterday [0] and I hope this
list might help me to address it correctly.
Now as you can see from [0] it is about parts of the specification like :

state
        REQUIRED if the "state" parameter was present in the client
        authorization request.  The exact value received from the
        client.

Now IMHO there are two distinct way a "library" can address it:

a) provide the API namely OAuthAuthorizationResponseBuilder#setState and "trust" that the
AMBER user will do the right thing e.g. using the API in his implementation, as in [1]


OAuthResponse resp = OAuthASResponse
             .authorizationResponse(HttpServletResponse.SC_FOUND)
             .setCode(oauthIssuerImpl.authorizationCode())

             .setState(request#getParameter)
             .location(redirectURI)
             .buildQueryMessage();

b) integrate this "rule" in the AMBER "framework"

IMHO b) fits more with the description of AMBER provided e.g. in the report  "....an unconditionally
compliant implementation".

I also think that the specification is full of cases like  [0] and we need to take a clear
steering where we would like to go ( a) or b) ??)

WDYT?

Regards

Antonio

[0] https://issues.apache.org/jira/browse/AMBER-45
[1] https://cwiki.apache.org/confluence/display/AMBER/OAuth+2.0+Authorization+Server

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message