shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jleleu <>
Subject Re: Add OAuth support for Shiro
Date Mon, 09 Jul 2012 19:40:14 GMT
Hi Les,

Thanks for your feedback.

I do understand your concern about minimizing dependencies but for OAuth
client part, I think that it's a good solution.
So I'd like to propose to you a solution : why not split the OAuth module in
two parts ? shiro-oauth-client and shiro-oauth-server modules. As these
modules address very different goals, I wouldn't be surprised to have two
modules. Moreover, I'm not sure that it would be really possible to use the
same library for both usages.

About Scribe and ScribeUP :

I think that Scribe is a great library supporting OAuth 1.0 and 2.0
protocols with many providers. It's higly maintained and always improving.
If you know a better OAuth library, I'll be happy to take a look at it, but
I still believe Scribe is the best one.

But Scribe is "just" about OAuth protocol : authenticating a user is not
sufficient, you certainly want to know who he is : that's where ScribeUP
comes into play : it's built on top of Scribe to get user profile after
OAuth authentication (in a web oriented way). It's a huge work to get
profiles from providers and I spent a lot of time doing this : I didn't find
any library doing something similar. 8 providers (the most "famous" I hope)
are already available through ScribeUP.

When I started to develop OAuth client support for CAS project, the idea
popped out that the user profiles part could exist on its own and can be
reused for other libraries like Shiro. That is how ScribeUP was borned.
Right now, cas-server-support-oauth module 3.5.0 is built on ScribeUP 1.0.0
and the next version will be built on ScribeUP v1.1.0 :
ScribeUP version 1.0.0 could really be improved and that's what I did in
version 1.1.0, the library is totally abstracted from Scribe and easier to
manipulate and initialize.

I'm not sure to understand the use case you have mind for REST API. Is it
about OAuth *client* support ?
IMHO, it's clear that the most wanted use case for OAuth client support is
the ability to create web applications for Facebook, Twitter... and for
that, my shiro-oauth(-client) module is totally appropriate.
That's exactly what the demo
intends to demonstrate.

Best regards,

View this message in context:
Sent from the Shiro Developer mailing list archive at

View raw message