You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Thorsten Höger <li...@hoegernet.de> on 2014/03/01 18:42:08 UTC
OpenId Connect
Hi,
are there plans to support OpenId Connect (Server/Client) as extension to OAuth2 in CXF?
Regards,
Thorsten
Re: OpenId Connect
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 03/03/14 18:42, Thorsten Höger wrote:
> Am 03.03.2014 11:27, schrieb Sergey Beryozkin:
>> Hi Thorsten
>> On 01/03/14 17:42, Thorsten Höger wrote:
>>> Hi,
>>>
>>> are there plans to support OpenId Connect (Server/Client) as extension to OAuth2 in CXF?
>>>
>> Yes.
>>
>> Right now, the immediate priority is to support JWT wrapped as CXF ServerAccessToken,
>> and the JWT assertions grant. Next, offer the JAX-RS services support for the client
>> registration and token management.
>>
>> OpenId Connect will be next (possibly some prototyping will start after the JWT support
>> is done). I'm not sure right now in what form it will be supported, may be some of it
>> will be done as part of Fediz, but I think at the very least CXF OAuth2 endpoints should
>> be able to work with the OpenId Connect aware infrastructure...
>>
>> Do you have any particular integration requirements ? What is it that attracts you in
>> OpenId-Connect most ?
> We are using CXF as a REST backend for our online-banking system. The first part with
> OpenId Connect would be to act as an OpenId Identity-Provider. The next part would be to
> authenticate/register new users via Google+, Facebook etc.
>
Right, thanks. I believe this is in line with the Fediz roadmap which
Oli has put in place, with OAuth2-based SSO covered eventually too.
Just in case: CXF supports SAML SP Web Profile and this has been tested
against many SAML IDPs; Fediz currently supports WS-Fed passive Profile
- deployed in a major production. So we have some SSO support in place.
Cheers, Sergey
> Regards,
> Thorsten
>
>>
>> Cheers, Sergey
>>
>>
>>> Regards,
>>> Thorsten
>>>
>>
>
Re: OpenId Connect
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Bill
On 03/03/14 18:50, Bill Burke wrote:
>
>
> On 3/3/2014 1:42 PM, Thorsten Höger wrote:
>> Am 03.03.2014 11:27, schrieb Sergey Beryozkin:
>>> Hi Thorsten
>>> On 01/03/14 17:42, Thorsten Höger wrote:
>>>> Hi,
>>>>
>>>> are there plans to support OpenId Connect (Server/Client) as
>>>> extension to OAuth2 in CXF?
>>>>
>>> Yes.
>>>
>>> Right now, the immediate priority is to support JWT wrapped as CXF
>>> ServerAccessToken,
>>> and the JWT assertions grant. Next, offer the JAX-RS services support
>>> for the client
>>> registration and token management.
>>>
>>> OpenId Connect will be next (possibly some prototyping will start
>>> after the JWT support
>>> is done). I'm not sure right now in what form it will be supported,
>>> may be some of it
>>> will be done as part of Fediz, but I think at the very least CXF
>>> OAuth2 endpoints should
>>> be able to work with the OpenId Connect aware infrastructure...
>>>
>>> Do you have any particular integration requirements ? What is it that
>>> attracts you in
>>> OpenId-Connect most ?
>> We are using CXF as a REST backend for our online-banking system. The
>> first part with
>> OpenId Connect would be to act as an OpenId Identity-Provider. The
>> next part would be to
>> authenticate/register new users via Google+, Facebook etc.
>
> Shameless plug:
>
> We're working on a OpenID Connect extension/auth server over at
> http://keycloak.org. It can be a social broker, or register/manage its
> own users. Supports permission/role mappings, OTP, and a lot more. Aims
> for integrated security for both web apps and REST services. Keycloak is
> a solution, not a library, so I don't see why eventually CXF couldn't
> integrate with it if it has/will have openid connect/oauth2 client
> libraries.
>
Sure, I guess that can definitely work, integrating at that level. And I
don't mind us trying at all, it will be a good interoperability. But
note we also have Fediz, which is going to become the SSO + OAuth2 star
:-). May be we can use Fediz to interpose over KeyCloak one day :-)
Cheers, Sergey
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OpenId Connect
Posted by Bill Burke <bb...@redhat.com>.
On 3/3/2014 1:42 PM, Thorsten Höger wrote:
> Am 03.03.2014 11:27, schrieb Sergey Beryozkin:
>> Hi Thorsten
>> On 01/03/14 17:42, Thorsten Höger wrote:
>>> Hi,
>>>
>>> are there plans to support OpenId Connect (Server/Client) as extension to OAuth2 in CXF?
>>>
>> Yes.
>>
>> Right now, the immediate priority is to support JWT wrapped as CXF ServerAccessToken,
>> and the JWT assertions grant. Next, offer the JAX-RS services support for the client
>> registration and token management.
>>
>> OpenId Connect will be next (possibly some prototyping will start after the JWT support
>> is done). I'm not sure right now in what form it will be supported, may be some of it
>> will be done as part of Fediz, but I think at the very least CXF OAuth2 endpoints should
>> be able to work with the OpenId Connect aware infrastructure...
>>
>> Do you have any particular integration requirements ? What is it that attracts you in
>> OpenId-Connect most ?
> We are using CXF as a REST backend for our online-banking system. The first part with
> OpenId Connect would be to act as an OpenId Identity-Provider. The next part would be to
> authenticate/register new users via Google+, Facebook etc.
Shameless plug:
We're working on a OpenID Connect extension/auth server over at
http://keycloak.org. It can be a social broker, or register/manage its
own users. Supports permission/role mappings, OTP, and a lot more.
Aims for integrated security for both web apps and REST services.
Keycloak is a solution, not a library, so I don't see why eventually CXF
couldn't integrate with it if it has/will have openid connect/oauth2
client libraries.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
Re: OpenId Connect
Posted by Thorsten Höger <li...@hoegernet.de>.
Am 03.03.2014 11:27, schrieb Sergey Beryozkin:
> Hi Thorsten
> On 01/03/14 17:42, Thorsten Höger wrote:
>> Hi,
>>
>> are there plans to support OpenId Connect (Server/Client) as extension to OAuth2 in CXF?
>>
> Yes.
>
> Right now, the immediate priority is to support JWT wrapped as CXF ServerAccessToken,
> and the JWT assertions grant. Next, offer the JAX-RS services support for the client
> registration and token management.
>
> OpenId Connect will be next (possibly some prototyping will start after the JWT support
> is done). I'm not sure right now in what form it will be supported, may be some of it
> will be done as part of Fediz, but I think at the very least CXF OAuth2 endpoints should
> be able to work with the OpenId Connect aware infrastructure...
>
> Do you have any particular integration requirements ? What is it that attracts you in
> OpenId-Connect most ?
We are using CXF as a REST backend for our online-banking system. The first part with
OpenId Connect would be to act as an OpenId Identity-Provider. The next part would be to
authenticate/register new users via Google+, Facebook etc.
Regards,
Thorsten
>
> Cheers, Sergey
>
>
>> Regards,
>> Thorsten
>>
>
Re: OpenId Connect
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Thorsten
On 01/03/14 17:42, Thorsten Höger wrote:
> Hi,
>
> are there plans to support OpenId Connect (Server/Client) as extension to OAuth2 in CXF?
>
Yes.
Right now, the immediate priority is to support JWT wrapped as CXF
ServerAccessToken, and the JWT assertions grant. Next, offer the JAX-RS
services support for the client registration and token management.
OpenId Connect will be next (possibly some prototyping will start after
the JWT support is done). I'm not sure right now in what form it will be
supported, may be some of it will be done as part of Fediz, but I think
at the very least CXF OAuth2 endpoints should be able to work with the
OpenId Connect aware infrastructure...
Do you have any particular integration requirements ? What is it that
attracts you in OpenId-Connect most ?
Cheers, Sergey
> Regards,
> Thorsten
>