You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Łukasz Moreń <lu...@gmail.com> on 2010/06/02 13:26:31 UTC
[GSoC][OAUTH] OAuth implementation kick-off
I would like start coding OAuth support finally and I have some questions
regarding that:
1. We agreed to use OAuth 1.0 spec, I assume to use:
http://tools.ietf.org/html/draft-hammer-oauth-10
as is suggested in: http://oauth.net/core/1.0a/. WDYT?
2. There are existing Java OAuth libraries. I am wondering if we could use
one of them. From one hand maybe it is not good idea to make
cxf dependent on such library, but on the other
it's already tested and used by developers (mainly I mean Scribe lib). I
can write own implementation, just let me know what is your opinion.
My asf account is ready and Daniel suggested to create branch at cxf
sandbox, I will do so and commit all my changes there.
Btw. Last days I was at OAuth 2.0 F2F meeting and there appear about hundred
new issues (major and trivial as well), so I suppose it's too hot for
implementation:).
Cheers,
Lukasz Moren
Re: [GSoC][OAUTH] OAuth implementation kick-off
Posted by Łukasz Moreń <lu...@gmail.com>.
>
> Hi Łukasz, just in case you're not aware (highly unlikely), the link above
is now recommending the regular RFC 5849:
http://tools.ietf.org/html/rfc5849 instead of the draft link.
Yes I noticed this new recommendations some time ago and I am using it now.
Thanks for letting know.
Cheers,
Lukasz
2010/6/19 Glen Mazza <gl...@gmail.com>:
>
>
> Łukasz Moreń wrote:
>>
>> I would like start coding OAuth support finally and I have some questions
>> regarding that:
>>
>> 1. We agreed to use OAuth 1.0 spec, I assume to use:
>> http://tools.ietf.org/html/draft-hammer-oauth-10
>> as is suggested in: http://oauth.net/core/1.0a/. WDYT?
>>
>
> Hi Łukasz, just in case you're not aware (highly unlikely), the link above
> is now recommending the regular RFC 5849:
> http://tools.ietf.org/html/rfc5849 instead of the draft link.
>
> Regards,
> Glen
>
> --
> View this message in context:
http://old.nabble.com/-GSoC--OAUTH--OAuth-implementation-kick-off-tp28753099p28936673.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
>
Re: [GSoC][OAUTH] OAuth implementation kick-off
Posted by Glen Mazza <gl...@gmail.com>.
Łukasz Moreń wrote:
>
> I would like start coding OAuth support finally and I have some questions
> regarding that:
>
> 1. We agreed to use OAuth 1.0 spec, I assume to use:
> http://tools.ietf.org/html/draft-hammer-oauth-10
> as is suggested in: http://oauth.net/core/1.0a/. WDYT?
>
Hi Łukasz, just in case you're not aware (highly unlikely), the link above
is now recommending the regular RFC 5849:
http://tools.ietf.org/html/rfc5849 instead of the draft link.
Regards,
Glen
--
View this message in context: http://old.nabble.com/-GSoC--OAUTH--OAuth-implementation-kick-off-tp28753099p28936673.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: [GSoC][OAUTH] OAuth implementation kick-off
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Łukasz
On Wed, Jun 2, 2010 at 12:26 PM, Łukasz Moreń <lu...@gmail.com>wrote:
> I would like start coding OAuth support finally and I have some questions
> regarding that:
>
> 1. We agreed to use OAuth 1.0 spec, I assume to use:
> http://tools.ietf.org/html/draft-hammer-oauth-10
> as is suggested in: http://oauth.net/core/1.0a/. WDYT?
>
Yes please
>
> 2. There are existing Java OAuth libraries. I am wondering if we could use
> one of them. From one hand maybe it is not good idea to make
> cxf dependent on such library, but on the other
> it's already tested and used by developers (mainly I mean Scribe lib). I
> can write own implementation, just let me know what is your opinion.
>
IMHO reusing the well-tested 3rd party library will be fine - they are
actually not big libraries.
I've had a chance to work with a Google OAuth library; Scribe looks ok too ;
please select the one you think will do best; ideally, users will not be
aware of the impl details - so that the libs could be replaced if needed
>
> My asf account is ready and Daniel suggested to create branch at cxf
> sandbox, I will do so and commit all my changes there.
>
> sounds good. As suggested earlier on, please consider introducing a
rt/rs/oauth module (I think I might've suggested rt/jaxrs/oauth initially,
but 'rs' seems more neutral and better).
>
> Btw. Last days I was at OAuth 2.0 F2F meeting and there appear about
> hundred
> new issues (major and trivial as well), so I suppose it's too hot for
> implementation:).
>
> Indeed. At some later stage you can add a rt/rs/oauth20 :-);
thanks, Sergey
> Cheers,
> Lukasz Moren
>
P.S. I should mention I started working for JBoss and one of the projects
I'm involved in is extending the RestEasy's OAuth support (which is actually
quite good) for it to be better integrated with various JBoss AS services as
well as to facilitate some other open authentication based interactions. It
is a higher level task and hope I'll be able to avoid any conflict of
interest :-) You can expect a good support from myself and others when
working on this project...
Re: [GSoC][OAUTH] OAuth implementation kick-off
Posted by Sergey Beryozkin <sb...@gmail.com>.
> dkulp wrote:
> >
> >> 2. There are existing Java OAuth libraries. I am wondering if we could
> >> use
> >> one of them. From one hand maybe it is not good idea to make
> >> cxf dependent on such library, but on the other
> >> it's already tested and used by developers (mainly I mean Scribe lib). I
> >> can write own implementation, just let me know what is your opinion.
> >
> > I'm definitely all for using a 3rd party lib if it will work for us.
> >
>
> Standard caveat of course that it needs to be an Apache-compatible license
> (no GPL or LGPL, for example).
>
>
Google OAuth has an Apache licence; Scribe has it too. And I'm assuming
Amber will have too.
At the moment it appears Scribe or Google libs should do well; OAuth 1.0 can
be split in well-defined phases and it seems the code which lives in those
libs is very capable (main compexity - properly signing requests and forming
OAuth requests).
Perhaps some higher-level OAuth workflow library/code can be built as well
eventually
cheers, Sergey
Glen
> --
> View this message in context:
> http://old.nabble.com/-GSoC--OAUTH--OAuth-implementation-kick-off-tp28753099p28757558.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
>
Re: [GSoC][OAUTH] OAuth implementation kick-off
Posted by Glen Mazza <gl...@gmail.com>.
dkulp wrote:
>
>> 2. There are existing Java OAuth libraries. I am wondering if we could
>> use
>> one of them. From one hand maybe it is not good idea to make
>> cxf dependent on such library, but on the other
>> it's already tested and used by developers (mainly I mean Scribe lib). I
>> can write own implementation, just let me know what is your opinion.
>
> I'm definitely all for using a 3rd party lib if it will work for us.
>
Standard caveat of course that it needs to be an Apache-compatible license
(no GPL or LGPL, for example).
Glen
--
View this message in context: http://old.nabble.com/-GSoC--OAUTH--OAuth-implementation-kick-off-tp28753099p28757558.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: [GSoC][OAUTH] OAuth implementation kick-off
Posted by Daniel Kulp <dk...@apache.org>.
On Wednesday 02 June 2010 7:26:31 am Łukasz Moreń wrote:
> I would like start coding OAuth support finally and I have some questions
> regarding that:
>
> 1. We agreed to use OAuth 1.0 spec, I assume to use:
> http://tools.ietf.org/html/draft-hammer-oauth-10
> as is suggested in: http://oauth.net/core/1.0a/. WDYT?
Yep.
> 2. There are existing Java OAuth libraries. I am wondering if we could use
> one of them. From one hand maybe it is not good idea to make
> cxf dependent on such library, but on the other
> it's already tested and used by developers (mainly I mean Scribe lib). I
> can write own implementation, just let me know what is your opinion.
I'm definitely all for using a 3rd party lib if it will work for us.
What may be an interesting course of action would be to also get involve with
the new Amber project in incubation:
https://svn.apache.org/repos/asf/incubator/amber
It's BRAND NEW, the svn repo just created yesterday so no code there yet. I
think some of it is still in the lab. I'm not saying using Amber is
required or even preferred. Just mentioning it as an option to investigate.
Since it's in an early form, we'd definitely have some flexibility to push it
in a direction that would be more usable for us. :-)
Dan
> My asf account is ready and Daniel suggested to create branch at cxf
> sandbox, I will do so and commit all my changes there.
>
>
> Btw. Last days I was at OAuth 2.0 F2F meeting and there appear about
> hundred new issues (major and trivial as well), so I suppose it's too hot
> for implementation:).
>
> Cheers,
> Lukasz Moren
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog