users@javaee-security-spec.java.net

[javaee-security-spec users] Re: [jsr375-experts] Add OAuth2 and/or OpenID Connect Support to JSR-375?

From: Will Hopkins <will.hopkins_at_oracle.com>
Date: Tue, 8 Nov 2016 11:44:18 -0500

I think the value of having OAuth/OpenID Connect in Java EE is to enable
portable applications that leverage them, and to provide simple,
declarative mechanisms for enabling them. It's certainly possible to
use OAuth now, but every appilcation will necessarily implement it
differently, and will likely end up including it's own choice of third
party libraries/frameworks with the application.

I do hear the concern about timeliness, and I agree it's an important
consideration. Anything we do add would need to fit in the proposed EE
8 schedule.

Do you have a view on the right balance between timeliness, and
including features that the latest community survey prioritized? The
concern if we don't include OAuth is that the community will perceive
that as not being responsive to community input.

Note also, as I mentioned in a different thread, I don't think we're
considering standardizing the standalone OAuth Authorization Server
itself (i.e., token issuance), just support for clients acquiring tokens
and servers/applications consuming them.


On 11/04/2016 05:04 PM, reza_rahman wrote:
> No doubt both OAuth and OpenID Connect are long overdue for Java EE.
> That being said, since this JSR and Java EE has already been delayed
> multiple times, I don't think any further delays are advisable if Java
> EE is to be kept relevant. I think this JSR should focus on getting a
> solid foundation for Java EE standards based security in place and
> delivering something in a timely fashion. If OAuth and OpenID Connect
> must be pulled in, it is perhaps wise to do that by delaying a more
> unimportant part of the current scope. It has always confused me why
> Java EE based products tend to wait until something is done in the
> JCP. I don't think there is really anything stopping anyone from
> building OAuth and OpenID Connect support based on the current J2EE
> era security APIs in their products. In a similar vein I believe
> Agorava already has this support for CDI based applications for some
> time now.
>
> Sent via the Samsung Galaxy S7, an AT&T 4G LTE smartphone
>
> -------- Original message --------
> From: Will Hopkins <will.hopkins_at_oracle.com>
> Date: 11/4/16 3:28 PM (GMT-05:00)
> To: jsr375-experts_at_javaee-security-spec.java.net
> Subject: [javaee-security-spec users] [jsr375-experts] Add OAuth2
> and/or OpenID Connect Support to JSR-375?
>
> Experts,
>
> I have been asked to get a sense of how the EG would feel about adding
> OAuth2 and/or OpenID Connect support to JSR-375.
>
> Our plan of record has been to defer OAuth/OpenID Connect until the next
> security JSR, so that we can wrap up JSR-375 quickly and move on to
> cloud-oriented technologies, including OAuth/OpenID Connect, as
> expeditiously as possible. That still seems like a good plan to me --
> anything we do with OAuth/OpenID Connect is likely to require
> significant time and effort to get right, and we don't want to put out
> something half-baked and have to fix it (or support it) later. Deferring
> it allows us to release the existing features of JSR-375 quickly, and
> move on to JSR-Next -- which is more than just OAuth/OpenID Connect --
> as soon as possible.
>
> That said, OAuth/OpenID Connect ranked third, after ReST services and
> HTTP/2, in the most recent EE community survey. Clearly, the community
> wants OAuth/OpenID Connect support in EE. Both are strategic security
> technologies with wide acceptance and adoption in real-world
> applications today. We could decide to take that on in JSR-375, and
> probably make it available sooner than if we waited for JSR-Next. Or,
> we could do a smaller piece in JSR-375 -- perhaps just OpenID Connect,
> which is a simpler model (authentication only) -- and then add OAuth2
> proper in JSR-Next.
>
> Either way, we're talking about substantial additional time, effort, and
> complexity to add any part of OAuth/OpenID Connect to JSR-375. There may
> be other considerations as well -- for example, are there ramifications
> in terms of adding brand new technology areas that were not mentioned in
> the original JSR proposal? We'd have to work through those issues
> before making a final decision. I don't think the upcoming EDR deadline
> is an obstacle -- worst case, we could add a TBD placeholder section for
> OAuth.
>
> So. There are pros and cons to any course of action here. It would be
> great to wrap up JSR-375 quickly and move on, but given the importance
> of OAuth/OpenID Connect, so doing it sooner rather than later might be
> the right decision even if it delays JSR-375.
>
> What do you all think?
>
> Will
>
> --
> Will Hopkins | Platform Security Architect | +1.781.442.0310
> Oracle Cloud Application Foundation
> 35 Network Drive, Burlington, MA 01803
>

-- 
Will Hopkins | Platform Security Architect | +1.781.442.0310
Oracle Cloud Application Foundation
35 Network Drive, Burlington, MA 01803