You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Brian Eaton <be...@google.com> on 2010/08/12 09:08:12 UTC
OAuth WRAP client support in Shindig?
Hey folks -
I'm thinking about adding support for the OAuth WRAP protocol to Shindig.
OAuth WRAP was an early predecessor to OAuth 2. OAuth 2 is still a moving
target, but OAuth WRAP is final, and there are implementations in the wild.
The relevant shindig code is all in OAuthRequest.java. This is entirely
about outbound requests from Shindig, not inbound requests.
OAuth WRAP is fairly similar to the Scalable OAuth Extension, which is
already implemented in Shindig.
I'd only implement the web app profile of OAuth WRAP; that's the only
interesting one for gadgets.
I'd expect the OAuth WRAP code to move readily to OAuth 2 once OAuth 2 is
finalized. The web app profile has seen lots of parameter name changes, but
the basic protocol steps have been constant for a few months now.
The major functional gap between OAuth WRAP and OAuth2 is cryptographic
signing; there are many key OpenSocial features that won't work until we've
got a solid design for that. I'd expect OpenSocial to use one of the OAuth2
assertion profiles. At any rate, that work would not be done first.
Thoughts on this?
Cheers,
Brian
Re: OAuth WRAP client support in Shindig?
Posted by Bastian Hofmann <BH...@vz.net>.
I'm really not sure if it's worth it to start implementing WRAP as well, since it has been deprecated in favor of OAuth2 (http://wiki.oauth.net/OAuth-WRAP).
Maybe starting with the current OAuth2 spec draft and then adapting this once a new draft or the final spec is published, would be the better way to go.
On a site note: we are currently planning on implementing inbound OAuth2 support into our forked php shindig here, which should be ready and comittable to the shindig trunk sometime end of august.
Cheers
Bastian
Am 12.08.2010 um 09:18 schrieb John Hjelmstad:
> Generally sounds fine to me. A few thoughts:
>
> 1. Is it expected that WRAP will simply be a subset of OAuth2 or will we
> require a separate OAuth2 code path?
>
> 2. The messaging I've generally heard is that OAuth2 will pretty much
> completely replace WRAP. In practice I doubt that will be the case in full,
> which could mean we're stuck supporting barely-used code. Thoughts on this?
>
> 3. Can you give a sense (anecdotal is fine) of how widely used WRAP is these
> days, ie. the value of supporting it for the code base?
>
> 4. How much new code do you expect in OAuthRequest, roughly? It seems that
> class is already getting quite large...
>
> --j
>
> On Thu, Aug 12, 2010 at 12:08 AM, Brian Eaton <be...@google.com> wrote:
>
>> Hey folks -
>>
>> I'm thinking about adding support for the OAuth WRAP protocol to Shindig.
>> OAuth WRAP was an early predecessor to OAuth 2. OAuth 2 is still a moving
>> target, but OAuth WRAP is final, and there are implementations in the wild.
>>
>> The relevant shindig code is all in OAuthRequest.java. This is entirely
>> about outbound requests from Shindig, not inbound requests.
>>
>> OAuth WRAP is fairly similar to the Scalable OAuth Extension, which is
>> already implemented in Shindig.
>>
>> I'd only implement the web app profile of OAuth WRAP; that's the only
>> interesting one for gadgets.
>>
>> I'd expect the OAuth WRAP code to move readily to OAuth 2 once OAuth 2 is
>> finalized. The web app profile has seen lots of parameter name changes,
>> but
>> the basic protocol steps have been constant for a few months now.
>>
>> The major functional gap between OAuth WRAP and OAuth2 is cryptographic
>> signing; there are many key OpenSocial features that won't work until we've
>> got a solid design for that. I'd expect OpenSocial to use one of the
>> OAuth2
>> assertion profiles. At any rate, that work would not be done first.
>>
>> Thoughts on this?
>>
>> Cheers,
>> Brian
>>
VZnet Netzwerke Ltd. || Saarbruecker Str. 38 || D - 10405 Berlin
Tel: +49 (30) 4050427 513
Fax:
Mobil:
BHofmann@vz.net
http://www.studivz.net/bastian
www.studivz.net, www.meinvz.net, www.schuelervz.net
VZnet Netzwerke Limited, Registered Office Berlin, Registration Court Charlottenburg, HRB 101454
Executive Directors: Clemens Riedl, Thomas Baum
Non-Executive Directors: Dr. Michael Brockhaus, Martin Weber, Claas van Delden
Headquarters: VZnet Netzwerke Limited, 5 New Street Square, London EC4A 3TW, United Kingdom
Companies House Cardiff No. 5607971, Place of Registration: England and Wales
Re: OAuth WRAP client support in Shindig?
Posted by "jhon.li" <an...@gmail.com>.
Hey guys:
Did you have any information about shindig to support oauth2.0? Now,google
has published its experimental implement of oauth2.0 and whether shindig will
move to oauth2.0?
Any respondence is appreciated.
Re: OAuth WRAP client support in Shindig?
Posted by Pablo GraƱa <pa...@globant.com>.
+1 for oath 2.0.
On Thu, Aug 19, 2010 at 2:53 PM, Henry Saputra <he...@gmail.com>wrote:
> I am +1 for going with OAuth 2.0 instead of WRAP.
>
> Looks like the OAuth WRAP is deprecated in favor of OAuth 2.0:
> http://wiki.oauth.net/OAuth-WRAP so might as well spend good quality time
> adding support for OAuth 2.0.
>
> - Henry
>
> On Mon, Aug 16, 2010 at 7:40 AM, Mark D Weitzel <we...@us.ibm.com>
> wrote:
>
> > I'd like to see OpenSocial adopt OAuth 2.0 rather than WRAP. I'd go
> > further and say that a good target for this to happen is OpenSocial 1.1
> > next, which is tentatively scheduled for June/July 2011. This allows us
> to
> > start building out the implementation now, in shindig extras, and allow
> > that to be the prototype required by the OS dev. process. This also
> allows
> > the spec and the implementation to rely on an official standard.
> >
> > -Mark W.
> >
> >
> >
> > From:
> > Brian Eaton <be...@google.com>
> > To:
> > dev@shindig.apache.org
> > Date:
> > 08/13/2010 05:35 PM
> > Subject:
> > Re: OAuth WRAP client support in Shindig?
> >
> >
> >
> > On Thu, Aug 12, 2010 at 12:18 AM, John Hjelmstad <fa...@google.com>
> wrote:
> >
> > > Generally sounds fine to me. A few thoughts:
> > >
> > > 1. Is it expected that WRAP will simply be a subset of OAuth2 or will
> we
> > > require a separate OAuth2 code path?
> > >
> >
> > I think that WRAP is a subset of OAuth2, plus some parameter changes.
> The
> > basic web server flow has seen no fundamental changes.
> >
> >
> > > 2. The messaging I've generally heard is that OAuth2 will pretty much
> > > completely replace WRAP. In practice I doubt that will be the case in
> > full,
> > > which could mean we're stuck supporting barely-used code. Thoughts on
> > this?
> > >
> >
> > Could happen.
> >
> > 3. Can you give a sense (anecdotal is fine) of how widely used WRAP is
> > these
> > > days, ie. the value of supporting it for the code base?
> > >
> >
> > Live at Microsoft, and at Google. Google is not widely documenting our
> > WRAP
> > support. We needed it for a few particular use cases, and it is being
> > quietly used there.
> >
> >
> > > 4. How much new code do you expect in OAuthRequest, roughly? It seems
> > that
> > > class is already getting quite large...
> >
> >
> > I think this is the big question.
> >
> > The other question is if/when OpenSocial will adopt the OAuth2 crypto
> > proposals. They've been dropped from the core spec due to lack of
> > consensus, but I think we did arrive at something that OpenSocial will
> > want
> > some day.
> >
> > Cheers,
> > Brian
> >
> >
> >
>
--
Pablo Gra\~na
Chief Architect
Globant
Arg Office: +54 (11) 4109 1743
UK Office: +44 (20) 7043 8269 int 8043
US Office: +1 (212) 400 7686 int 8043
Re: OAuth WRAP client support in Shindig?
Posted by Henry Saputra <he...@gmail.com>.
I am +1 for going with OAuth 2.0 instead of WRAP.
Looks like the OAuth WRAP is deprecated in favor of OAuth 2.0:
http://wiki.oauth.net/OAuth-WRAP so might as well spend good quality time
adding support for OAuth 2.0.
- Henry
On Mon, Aug 16, 2010 at 7:40 AM, Mark D Weitzel <we...@us.ibm.com> wrote:
> I'd like to see OpenSocial adopt OAuth 2.0 rather than WRAP. I'd go
> further and say that a good target for this to happen is OpenSocial 1.1
> next, which is tentatively scheduled for June/July 2011. This allows us to
> start building out the implementation now, in shindig extras, and allow
> that to be the prototype required by the OS dev. process. This also allows
> the spec and the implementation to rely on an official standard.
>
> -Mark W.
>
>
>
> From:
> Brian Eaton <be...@google.com>
> To:
> dev@shindig.apache.org
> Date:
> 08/13/2010 05:35 PM
> Subject:
> Re: OAuth WRAP client support in Shindig?
>
>
>
> On Thu, Aug 12, 2010 at 12:18 AM, John Hjelmstad <fa...@google.com> wrote:
>
> > Generally sounds fine to me. A few thoughts:
> >
> > 1. Is it expected that WRAP will simply be a subset of OAuth2 or will we
> > require a separate OAuth2 code path?
> >
>
> I think that WRAP is a subset of OAuth2, plus some parameter changes. The
> basic web server flow has seen no fundamental changes.
>
>
> > 2. The messaging I've generally heard is that OAuth2 will pretty much
> > completely replace WRAP. In practice I doubt that will be the case in
> full,
> > which could mean we're stuck supporting barely-used code. Thoughts on
> this?
> >
>
> Could happen.
>
> 3. Can you give a sense (anecdotal is fine) of how widely used WRAP is
> these
> > days, ie. the value of supporting it for the code base?
> >
>
> Live at Microsoft, and at Google. Google is not widely documenting our
> WRAP
> support. We needed it for a few particular use cases, and it is being
> quietly used there.
>
>
> > 4. How much new code do you expect in OAuthRequest, roughly? It seems
> that
> > class is already getting quite large...
>
>
> I think this is the big question.
>
> The other question is if/when OpenSocial will adopt the OAuth2 crypto
> proposals. They've been dropped from the core spec due to lack of
> consensus, but I think we did arrive at something that OpenSocial will
> want
> some day.
>
> Cheers,
> Brian
>
>
>
Re: OAuth WRAP client support in Shindig?
Posted by Mark D Weitzel <we...@us.ibm.com>.
Matt,
This is great!
Just as an FYI, Paul has made it much easier to contribute your work as
part of the extras directory in the shindig svn. We've started
implementing the ActivityStreams work this way. Because things like
Activity Streams are moving fast and are not baked in the wild, we were
looking for a way to get at least some code out quickly that demonstrates
an implementation without affecting the core shindig. A sort of "open
prototyping" if you will. While we started with ActivityStreams, I'm
pushing all the teams inside of IBM to adopt this approach whenever
possible. If all goes well, we'll have some CMIS prototype code ready in a
bit as well.
Hopefully, the OAuth stuff can work the same way as activity
streams--introduce your support in extras and then plug it in via guice. I
say "hopefully" b/c OAuth 2.0 introduces a bunch of new stuff that's
likely to touch the core. Whenever you're ready, we could work with Paul
to carve out a spot in extras.
-Mark W.
From:
Matt Tucker <ma...@jivesoftware.com>
To:
"dev@shindig.apache.org" <de...@shindig.apache.org>
Date:
08/19/2010 01:30 PM
Subject:
Re: OAuth WRAP client support in Shindig?
Mark,
+1 on this -- oAuth 2.0 support is still pretty new out in the wild but
the momentum is clearly there. We're starting to experiment with oAuth 2.0
support at Jive and will find a way to contribute some experimental
patches as we make progress.
Thanks,
Matt
On Aug 16, 2010, at 7:40 AM, Mark D Weitzel wrote:
> I'd like to see OpenSocial adopt OAuth 2.0 rather than WRAP. I'd go
> further and say that a good target for this to happen is OpenSocial 1.1
> next, which is tentatively scheduled for June/July 2011. This allows us
to
> start building out the implementation now, in shindig extras, and allow
> that to be the prototype required by the OS dev. process. This also
allows
> the spec and the implementation to rely on an official standard.
>
> -Mark W.
>
>
>
> From:
> Brian Eaton <be...@google.com>
> To:
> dev@shindig.apache.org
> Date:
> 08/13/2010 05:35 PM
> Subject:
> Re: OAuth WRAP client support in Shindig?
>
>
>
> On Thu, Aug 12, 2010 at 12:18 AM, John Hjelmstad <fa...@google.com>
wrote:
>
>> Generally sounds fine to me. A few thoughts:
>>
>> 1. Is it expected that WRAP will simply be a subset of OAuth2 or will
we
>> require a separate OAuth2 code path?
>>
>
> I think that WRAP is a subset of OAuth2, plus some parameter changes.
The
> basic web server flow has seen no fundamental changes.
>
>
>> 2. The messaging I've generally heard is that OAuth2 will pretty much
>> completely replace WRAP. In practice I doubt that will be the case in
> full,
>> which could mean we're stuck supporting barely-used code. Thoughts on
> this?
>>
>
> Could happen.
>
> 3. Can you give a sense (anecdotal is fine) of how widely used WRAP is
> these
>> days, ie. the value of supporting it for the code base?
>>
>
> Live at Microsoft, and at Google. Google is not widely documenting our
> WRAP
> support. We needed it for a few particular use cases, and it is being
> quietly used there.
>
>
>> 4. How much new code do you expect in OAuthRequest, roughly? It seems
> that
>> class is already getting quite large...
>
>
> I think this is the big question.
>
> The other question is if/when OpenSocial will adopt the OAuth2 crypto
> proposals. They've been dropped from the core spec due to lack of
> consensus, but I think we did arrive at something that OpenSocial will
> want
> some day.
>
> Cheers,
> Brian
>
>
Re: OAuth WRAP client support in Shindig?
Posted by Matt Tucker <ma...@jivesoftware.com>.
Mark,
+1 on this -- oAuth 2.0 support is still pretty new out in the wild but the momentum is clearly there. We're starting to experiment with oAuth 2.0 support at Jive and will find a way to contribute some experimental patches as we make progress.
Thanks,
Matt
On Aug 16, 2010, at 7:40 AM, Mark D Weitzel wrote:
> I'd like to see OpenSocial adopt OAuth 2.0 rather than WRAP. I'd go
> further and say that a good target for this to happen is OpenSocial 1.1
> next, which is tentatively scheduled for June/July 2011. This allows us to
> start building out the implementation now, in shindig extras, and allow
> that to be the prototype required by the OS dev. process. This also allows
> the spec and the implementation to rely on an official standard.
>
> -Mark W.
>
>
>
> From:
> Brian Eaton <be...@google.com>
> To:
> dev@shindig.apache.org
> Date:
> 08/13/2010 05:35 PM
> Subject:
> Re: OAuth WRAP client support in Shindig?
>
>
>
> On Thu, Aug 12, 2010 at 12:18 AM, John Hjelmstad <fa...@google.com> wrote:
>
>> Generally sounds fine to me. A few thoughts:
>>
>> 1. Is it expected that WRAP will simply be a subset of OAuth2 or will we
>> require a separate OAuth2 code path?
>>
>
> I think that WRAP is a subset of OAuth2, plus some parameter changes. The
> basic web server flow has seen no fundamental changes.
>
>
>> 2. The messaging I've generally heard is that OAuth2 will pretty much
>> completely replace WRAP. In practice I doubt that will be the case in
> full,
>> which could mean we're stuck supporting barely-used code. Thoughts on
> this?
>>
>
> Could happen.
>
> 3. Can you give a sense (anecdotal is fine) of how widely used WRAP is
> these
>> days, ie. the value of supporting it for the code base?
>>
>
> Live at Microsoft, and at Google. Google is not widely documenting our
> WRAP
> support. We needed it for a few particular use cases, and it is being
> quietly used there.
>
>
>> 4. How much new code do you expect in OAuthRequest, roughly? It seems
> that
>> class is already getting quite large...
>
>
> I think this is the big question.
>
> The other question is if/when OpenSocial will adopt the OAuth2 crypto
> proposals. They've been dropped from the core spec due to lack of
> consensus, but I think we did arrive at something that OpenSocial will
> want
> some day.
>
> Cheers,
> Brian
>
>
Re: OAuth WRAP client support in Shindig?
Posted by Mark D Weitzel <we...@us.ibm.com>.
I'd like to see OpenSocial adopt OAuth 2.0 rather than WRAP. I'd go
further and say that a good target for this to happen is OpenSocial 1.1
next, which is tentatively scheduled for June/July 2011. This allows us to
start building out the implementation now, in shindig extras, and allow
that to be the prototype required by the OS dev. process. This also allows
the spec and the implementation to rely on an official standard.
-Mark W.
From:
Brian Eaton <be...@google.com>
To:
dev@shindig.apache.org
Date:
08/13/2010 05:35 PM
Subject:
Re: OAuth WRAP client support in Shindig?
On Thu, Aug 12, 2010 at 12:18 AM, John Hjelmstad <fa...@google.com> wrote:
> Generally sounds fine to me. A few thoughts:
>
> 1. Is it expected that WRAP will simply be a subset of OAuth2 or will we
> require a separate OAuth2 code path?
>
I think that WRAP is a subset of OAuth2, plus some parameter changes. The
basic web server flow has seen no fundamental changes.
> 2. The messaging I've generally heard is that OAuth2 will pretty much
> completely replace WRAP. In practice I doubt that will be the case in
full,
> which could mean we're stuck supporting barely-used code. Thoughts on
this?
>
Could happen.
3. Can you give a sense (anecdotal is fine) of how widely used WRAP is
these
> days, ie. the value of supporting it for the code base?
>
Live at Microsoft, and at Google. Google is not widely documenting our
WRAP
support. We needed it for a few particular use cases, and it is being
quietly used there.
> 4. How much new code do you expect in OAuthRequest, roughly? It seems
that
> class is already getting quite large...
I think this is the big question.
The other question is if/when OpenSocial will adopt the OAuth2 crypto
proposals. They've been dropped from the core spec due to lack of
consensus, but I think we did arrive at something that OpenSocial will
want
some day.
Cheers,
Brian
Re: OAuth WRAP client support in Shindig?
Posted by Brian Eaton <be...@google.com>.
On Thu, Aug 12, 2010 at 12:18 AM, John Hjelmstad <fa...@google.com> wrote:
> Generally sounds fine to me. A few thoughts:
>
> 1. Is it expected that WRAP will simply be a subset of OAuth2 or will we
> require a separate OAuth2 code path?
>
I think that WRAP is a subset of OAuth2, plus some parameter changes. The
basic web server flow has seen no fundamental changes.
> 2. The messaging I've generally heard is that OAuth2 will pretty much
> completely replace WRAP. In practice I doubt that will be the case in full,
> which could mean we're stuck supporting barely-used code. Thoughts on this?
>
Could happen.
3. Can you give a sense (anecdotal is fine) of how widely used WRAP is these
> days, ie. the value of supporting it for the code base?
>
Live at Microsoft, and at Google. Google is not widely documenting our WRAP
support. We needed it for a few particular use cases, and it is being
quietly used there.
> 4. How much new code do you expect in OAuthRequest, roughly? It seems that
> class is already getting quite large...
I think this is the big question.
The other question is if/when OpenSocial will adopt the OAuth2 crypto
proposals. They've been dropped from the core spec due to lack of
consensus, but I think we did arrive at something that OpenSocial will want
some day.
Cheers,
Brian
Re: OAuth WRAP client support in Shindig?
Posted by John Hjelmstad <fa...@google.com>.
Generally sounds fine to me. A few thoughts:
1. Is it expected that WRAP will simply be a subset of OAuth2 or will we
require a separate OAuth2 code path?
2. The messaging I've generally heard is that OAuth2 will pretty much
completely replace WRAP. In practice I doubt that will be the case in full,
which could mean we're stuck supporting barely-used code. Thoughts on this?
3. Can you give a sense (anecdotal is fine) of how widely used WRAP is these
days, ie. the value of supporting it for the code base?
4. How much new code do you expect in OAuthRequest, roughly? It seems that
class is already getting quite large...
--j
On Thu, Aug 12, 2010 at 12:08 AM, Brian Eaton <be...@google.com> wrote:
> Hey folks -
>
> I'm thinking about adding support for the OAuth WRAP protocol to Shindig.
> OAuth WRAP was an early predecessor to OAuth 2. OAuth 2 is still a moving
> target, but OAuth WRAP is final, and there are implementations in the wild.
>
> The relevant shindig code is all in OAuthRequest.java. This is entirely
> about outbound requests from Shindig, not inbound requests.
>
> OAuth WRAP is fairly similar to the Scalable OAuth Extension, which is
> already implemented in Shindig.
>
> I'd only implement the web app profile of OAuth WRAP; that's the only
> interesting one for gadgets.
>
> I'd expect the OAuth WRAP code to move readily to OAuth 2 once OAuth 2 is
> finalized. The web app profile has seen lots of parameter name changes,
> but
> the basic protocol steps have been constant for a few months now.
>
> The major functional gap between OAuth WRAP and OAuth2 is cryptographic
> signing; there are many key OpenSocial features that won't work until we've
> got a solid design for that. I'd expect OpenSocial to use one of the
> OAuth2
> assertion profiles. At any rate, that work would not be done first.
>
> Thoughts on this?
>
> Cheers,
> Brian
>