[jax-rs-spec users] [jsr339-experts] Re: offtopic: Java EE Security media type

From: Bill Burke <>
Date: Thu, 18 Oct 2012 09:20:48 -0400

On 10/18/2012 5:19 AM, Sergey Beryozkin wrote:
> On 18/10/12 00:01, Bill Burke wrote:
>> Thats the thing. AFAICT, OAuth2 leaves the token format undefined. SAML
>> has a mapping, but it would be cool to have a Java EE specific token
>> format.
> using Java EE to implement OAuth2 is an implementation detail, so I'm
> not sure there's any scope for getting something JavaEE specific into
> the protocol

Its not an implementation detail because OAuth2 does not define a token
format AFAICT.

something like this:

    "user" : "bill"
    "roles" : [ "admin" ]
    "permissions" : "blah"

There's no interoperability in OAuth 2 because the token format is
undefined. I'm just saying define a token format for Java EE and any
OAuth2 extensions we might perceive a need for.

>> There does seem to be a registry defined in the OAuth2 RFC.
>> FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like crazy:
> Does not mean OAuth2 is totally broken

I like that they left the token format open. At first glance they also
made the protocol very browser centric.
Bill Burke
JBoss, a division of Red Hat