Return-Path: X-Original-To: apmail-oltu-dev-archive@www.apache.org Delivered-To: apmail-oltu-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 17613F3B7 for ; Mon, 25 Mar 2013 15:32:42 +0000 (UTC) Received: (qmail 40824 invoked by uid 500); 25 Mar 2013 15:32:42 -0000 Delivered-To: apmail-oltu-dev-archive@oltu.apache.org Received: (qmail 40764 invoked by uid 500); 25 Mar 2013 15:32:42 -0000 Mailing-List: contact dev-help@oltu.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@oltu.apache.org Delivered-To: mailing list dev@oltu.apache.org Received: (qmail 40755 invoked by uid 99); 25 Mar 2013 15:32:42 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Mar 2013 15:32:42 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of simone.tripodi@gmail.com designates 209.85.214.170 as permitted sender) Received: from [209.85.214.170] (HELO mail-ob0-f170.google.com) (209.85.214.170) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Mar 2013 15:32:36 +0000 Received: by mail-ob0-f170.google.com with SMTP id wc20so6177421obb.29 for ; Mon, 25 Mar 2013 08:32:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=KbFOspphf6CUnqTQOYmzgCR043ImKcCNS0yLxPpsRFk=; b=iikQgAPoqBYrociOkErQA6uER/wAnDgNPXtaNxO0hMswTAKCvloLV721grGxDvLTZo uG8K3yYctsDR1LRxocgMhpRcduNOlmNDA7P/M1ZlEJUCLKS0IHevVOQ/cKwliwnR2ge/ szHSB35iW4TSSXbqAQX/32M7Qy5HOKP06nABQGCuIYSLyDPO7JWxvdaOyeMaNKM4uJ3G mbbWO+Ng08g+hdrtui7ZmX/AKvaiAxS/3yTB5wj5f3mmTSihCm91QST2VFydS+53Yy1u iaak3owY8hwkk8F31k53ncVMwfknlvzNHq/2nvDBgtSfBCQYtgdGBkC/iLeXPVwJyvC2 0tSA== MIME-Version: 1.0 X-Received: by 10.182.66.41 with SMTP id c9mr224669obt.76.1364225535513; Mon, 25 Mar 2013 08:32:15 -0700 (PDT) Sender: simone.tripodi@gmail.com Received: by 10.60.28.234 with HTTP; Mon, 25 Mar 2013 08:32:15 -0700 (PDT) In-Reply-To: <78C1A0D1-01BD-4306-A32C-59F1E0F85B4E@innovation-district.com> References: <78C1A0D1-01BD-4306-A32C-59F1E0F85B4E@innovation-district.com> Date: Mon, 25 Mar 2013 16:32:15 +0100 X-Google-Sender-Auth: VypX4v7ltbTiXNMe-NL7FQMkDIg Message-ID: Subject: Re: Change in authorization server From: Simone Tripodi To: dev@oltu.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Hi Stein, good thought!!! Don't feel worried about breaking the amber backward-compatibility - which already is! :) - because after the package move they are not compatible anymore. So, if you need to override an existing class behaviour, just fill an issue and go ahead - keep up the good work! All the best, -Simo http://people.apache.org/~simonetripodi/ http://simonetripodi.livejournal.com/ http://twitter.com/simonetripodi http://www.99soft.org/ On Sun, Mar 24, 2013 at 2:35 PM, Stein Welberg wrote: > A slight adjustment: See inline. > > On 24 mrt. 2013, at 14:16, Stein Welberg = wrote: > >> Hi Guys, >> >> Since Simone made a good remark in the another thread (changing/updating= groupId/artifactId) that we are breaking Amber backwards-compatibility, I = would like to suggest another change. I would also like your opinion about = the way to implement it. >> >> Currently the Oltu Authorization server implementation is not spec compl= iant regarding the support for Basic Authentication (see OLTU-5 and OLTU-16= ). According to the spec section 2.1.3 [0] the authorization server must su= pport basic authentication. I am currently trying to figure out a way to su= pport both unauthenticated requests and authenticated requests (either usin= g basic authentication or not). The unauthenticated requests will not have = the client_secret parameter since they possibly don't have a client_secret. >> >> The current setup of the validators does not allow us to dynamically mak= e a param (e.g. the client_secret) required or optional based on some param= eter. The validators are added in the OAuthTokenRequest so this is the plac= e to create the distinction between an unauthenticated request an an authen= ticated request. Without doing a real big refactoring of the validators we = have two options to support both authenticated and unauthenticated requests= : >> >> 1. One way to do this is by creating another OAuthTokenRequest class tha= t accepts only authenticated requests (the OAuthAuthenticatedTokenRequest c= lass). The plain OAuthTokenRequest class then only handles unauthenticated = requests. > > Instead of creating a new class that handles authenticated token requests= , I would suggest to create a new class with the name OAuthnUnauthenticated= TokenRequest and change the behavior of the OAuthTokenRequest class to only= support authenticated requests. This also with regards to encourage sensib= le (secure) defaults. > > Regards, > Stein > >> >> 2. The second option is to use a boolean in the constructor of the OAuth= TokenRequest class to indicate whether we want Oltu to treat the request as= an authenticated request or not. I would suggest that we enforce authentic= ation by default and that adding the boolean to the constructor would make = it possible to also support unauthenticated requests (secure defaults). >> >> My preference goes to the first approach where we create a separate clas= s purely for authenticated requests since it creates more readable code. (c= ode with booleans in a method tend to get quite unreadable quickly!) >> >> I would like to have your opinions since this is quite a change in the A= PI for the developers that are going to use Oltu to create an authorization= server! >> >> Thanks. >> >> Regards, >> Stein >> >> [0] http://tools.ietf.org/html/rfc6749#section-2.3.1 >