On 10/18/2012 5:19 AM, Sergey Beryozkin wrote:
> On 18/10/12 00:01, Bill Burke wrote:
>> Thats the thing. AFAICT, OAuth2 leaves the token format undefined. SAML
>> has a mapping, but it would be cool to have a Java EE specific token
>> format.
>
> using Java EE to implement OAuth2 is an implementation detail, so I'm
> not sure there's any scope for getting something JavaEE specific into
> the protocol
>
Its not an implementation detail because OAuth2 does not define a token
format AFAICT.
something like this:
{
"user" : "bill"
"roles" : [ "admin" ]
"permissions" : "blah"
}
There's no interoperability in OAuth 2 because the token format is
undefined. I'm just saying define a token format for Java EE and any
OAuth2 extensions we might perceive a need for.
>>
>> There does seem to be a registry defined in the OAuth2 RFC.
>>
>> FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like crazy:
>>
>> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
>>
>
> Does not mean OAuth2 is totally broken
>
I like that they left the token format open. At first glance they also
made the protocol very browser centric.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com