Thank you for posting this really interesting link. After reading it I
understand that any kind of further support of OAuth 2.0 makes no sense to
me: If the lead editor thinks it is crap and he doesn't want to further see
his name on it, I should keep my hands off.
> -----Original Message-----
> From: Bill Burke [mailto:bburke_at_redhat.com]
> Sent: Donnerstag, 18. Oktober 2012 01:02
> To: jsr339-experts_at_jax-rs-spec.java.net
> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
>
> Thats the thing. AFAICT, OAuth2 leaves the token format undefined.
> SAML has a mapping, but it would be cool to have a Java EE specific
> token format.
>
> There does seem to be a registry defined in the OAuth2 RFC.
>
> FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like crazy:
>
> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
>
> On 10/17/2012 12:15 PM, Markus KARG wrote:
> > Maybe this is a dumb question, but if the access token media type is
> > defined by OAuth2, how should it ever work to map a Principal on it?
> I
> > mean, the result would be that some tokens could be mapped while
> other
> > could not. What a chaos! I hardly can't believe that there is no kind
> > of registry defined for this at IETF or elsewhere!?
> >
> >> -----Original Message-----
> >> From: Bill Burke [mailto:bburke_at_redhat.com]
> >> Sent: Dienstag, 16. Oktober 2012 21:20
> >> To: jsr339-experts_at_jax-rs-spec.java.net
> >> Subject: [jsr339-experts] Re: offtopic: Java EE Security media type
> >>
> >> You're missing what I'm saying. I want to define a on-the-wire
> >> access token media type that can be converted into Principal,
> >> user-role mappings and JACC permissions. OAuth2 does not specify
> the
> >> access token format, although SAML is used as an example.
> >>
> >> On 10/16/2012 2:09 PM, Markus KARG wrote:
> >>> I think that OAuth plays an important role, but I doubt that there
> >>> is a need for a JAX-RS extension: I think it should be covered by
> >>> Java EE's security layer, hence, it should be wrapped by an
> instance
> >>> of
> >> Principal.
> >>>
> >>>> -----Original Message-----
> >>>> From: Bill Burke [mailto:bburke_at_redhat.com]
> >>>> Sent: Dienstag, 16. Oktober 2012 17:16
> >>>> To: jsr339-experts_at_jax-rs-spec.java.net
> >>>> Subject: [jsr339-experts] offtopic: Java EE Security media type
> >>>>
> >>>> Now that OAuth 2.0 has reached RFC phase, I was wondering if
> >>>> anybody was interested in collaborating on a Java EE Security
> token
> >>>> media type and maybe even extensions of the OAuth 2.0 protocol.
> >>>>
> >>>> A token media type would be a simple format that encapsulated
> >>>> user/role mappings and maybe user/permission (JACC) metadata.
> >>>>
> >>>> I've only done a high-level reading of OAUth 2 RFC, but it seems
> to
> >>>> be missing non-browser REST communication. Basically an ability
> to
> >>>> transfer the token via header invocations. I'd also like to see
> >>>> extended protocols/media types that includes PKI support.
> >>>>
> >>>> Finally, I'd like to get this done via the IETF and their
> processes.
> >>>> I think this would be a good chance to get some industry
> >>>> collaboration around REST, security, and the Java EE world.
> >>>> Something specifically designed for Java EE. I know we have SAML
> >> and
> >>>> XACML and all, but I'd like to see something developed that is
> >>>> specific to Java EE. Formats and protocols that are simple and
> >>>> easy to implement and support in other environments beyond Java.
> >>>>
> >>>> Any thoughts?
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Bill
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com