oltu-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Moren <lukasz.mo...@gmail.com>
Subject Re: Token Persistence and Validation
Date Mon, 18 Apr 2011 09:05:05 GMT
On Tue, Apr 12, 2011 at 7:45 AM, Preeti Yarashi
<preeti.yarashi@oracle.com>wrote:
Hi Preeti,
Sorry for late answer but, I was travelling recently. Comments below.

 Hi,
>
> Does Amber provide any guidance or support for token (access/refresh)
> persistence and validation? I see that Amber libraries provide support for
> token generation but is there any support or guidance for
>

>    1. How an authorization server implementation persists tokens issued
>    and how does it validate (check for token match, expiry time, etc) the
>    tokens passed in Oauth requests?
>    2. How an Oauth Client expects to persist tokens issued by the
>    authorization server?
>
>
Amber helps you only with handling/building OAuth compliant requests and
responses. It is application specific how to deal with token persistence and
validation and Amber does not have support for that. I think I saw some time
ago post on Stackoverflow about best practices to build oauth authorization
servers, but I couldn't find it now.

>
>    1.
>
> I saw that there are some validator packages
> (org.apache.amber.oauth2.as.validator,
> org.apache.amber.oauth2.client.validator,
> org.apache.amber.oauth2.rs.validator) in the library but it was unclear how
> this is expected to be used considering the library didnt seem to provide
> support for token persistence so what would the validation be done against?
> My initial impression was that it was used internally to validate the
> sanctity of Oauth authorization and token requests.
>

Amber validator packages are used to assure request/response compliance with
OAuth 2.0 protocol, so it doesn't validate if that access token is valid in
context of authorization server.

Cheers,
Lukasz

>  regards,
> Preeti
>

Mime
View raw message