Skip to main content

Posts

Showing posts with the label oltu

OAuth 2 server to server and Apache Oltu

Leaving apart some FUDs I think that RFC 6749 (aka The OAuth 2.0 Authorization Framework) has proven to be a really great  "tool" so far. One of the limitation of this spec though is that the 2 main flows Authorization Code Grant and Implicit Grant work reasonably well if there is some sort of human interaction and the user agent is available. What if one or both of these requirement are missing? One easy alternative would be to use the Resource Owner Password Credentials Grant flow. This would require the OAuth client to know the Resource Owner password. That is exactly why OAuth has been designed namely to avoid such situation. Another, more tempting, alternative would be to use a refresh token (that never expires). The best choice though IMHO is to use "tools" from another specification from the becoming-big OAuth specification family :) The specification I am referring to is  the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and A...
7 comments
Read more

OAuth 2 and Apache Amber (incubating) released

Short story   Apache Amber 0.22-incubating released! http://markmail.org/message/2ywodi74vlv4d2qe See also: http://incubator.apache.org/amber/download.html and http://oauth.net/2/ Little more Despite the earthquake that hit "OAuth 2 world" the Amber team is proud to announce the first release of Apache Amber ( Apache Amber 0.22-incubating ).  The people that followed the project since the beginning know that has been a kind long journey due some legal issue that slowed down the release.  I am really keen to see Amber used and improved in the near future. I can see at the horizon some Open Id Connect and UMA integration and obviously to be fully compliant with the last version of the spec (version 31?). From the other hand I am kind of sad to see the lead editor leaving the specification. Specially the first post is definitely an interesting rant to read with a lot of valid points and considering who is the author cannot be ignored. I think only time wi...
Post a Comment
Read more

OAuth and Java

Some time ago I was looking for a Java OAuth library in order to help me to develop an OAuth aware server application. The natural place where to look for those information was the OAuth website that lists about 4 different Java libraries. The only one I am familiar with is Scribe . Indeed it is a really light, well documented and universally used library to build OAuth clients. It also contains out of the box integration for many well known websites that use OAuth (e.g. Facebook, Twitter, and many more). Unlikely though Scribe did/does not have any support for OAuth server side (that was my original problem). After a while a colleague of mine point me out an Apache project called Apache Amber and it turned out it was what I needed :) (Still wonder why Apache Amber is not listed in the OAuth website though). So the lesson learned is that if you are looking for a simple way to build your OAuth server do not hesitate to use Apache Amber. Here you can see how easy is to build the...
Post a Comment
Read more