jsr375-experts@javaee-security-spec.java.net

[jsr375-experts] Add OAuth2 and/or OpenID Connect Support to JSR-375?

From: Will Hopkins <will.hopkins_at_oracle.com>
Date: Fri, 4 Nov 2016 15:28:40 -0400

Experts,

I have been asked to get a sense of how the EG would feel about adding
OAuth2 and/or OpenID Connect support to JSR-375.

Our plan of record has been to defer OAuth/OpenID Connect until the next
security JSR, so that we can wrap up JSR-375 quickly and move on to
cloud-oriented technologies, including OAuth/OpenID Connect, as
expeditiously as possible. That still seems like a good plan to me --
anything we do with OAuth/OpenID Connect is likely to require
significant time and effort to get right, and we don't want to put out
something half-baked and have to fix it (or support it) later. Deferring
it allows us to release the existing features of JSR-375 quickly, and
move on to JSR-Next -- which is more than just OAuth/OpenID Connect --
as soon as possible.

That said, OAuth/OpenID Connect ranked third, after ReST services and
HTTP/2, in the most recent EE community survey. Clearly, the community
wants OAuth/OpenID Connect support in EE. Both are strategic security
technologies with wide acceptance and adoption in real-world
applications today. We could decide to take that on in JSR-375, and
probably make it available sooner than if we waited for JSR-Next. Or,
we could do a smaller piece in JSR-375 -- perhaps just OpenID Connect,
which is a simpler model (authentication only) -- and then add OAuth2
proper in JSR-Next.

Either way, we're talking about substantial additional time, effort, and
complexity to add any part of OAuth/OpenID Connect to JSR-375. There may
be other considerations as well -- for example, are there ramifications
in terms of adding brand new technology areas that were not mentioned in
the original JSR proposal? We'd have to work through those issues
before making a final decision. I don't think the upcoming EDR deadline
is an obstacle -- worst case, we could add a TBD placeholder section for
OAuth.

So. There are pros and cons to any course of action here. It would be
great to wrap up JSR-375 quickly and move on, but given the importance
of OAuth/OpenID Connect, so doing it sooner rather than later might be
the right decision even if it delays JSR-375.

What do you all think?

Will 

-- 
Will Hopkins | Platform Security Architect | +1.781.442.0310
Oracle Cloud Application Foundation
35 Network Drive, Burlington, MA 01803
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.