users@jax-rs-spec.java.net

[jax-rs-spec users] [jsr339-experts] Re: offtopic: Java EE Security media type

From: Bill Burke <bburke_at_redhat.com>
Date: Thu, 18 Oct 2012 09:20:48 -0400

On 10/18/2012 5:19 AM, Sergey Beryozkin wrote:
> On 18/10/12 00:01, Bill Burke wrote:
>> Thats the thing. AFAICT, OAuth2 leaves the token format undefined. SAML
>> has a mapping, but it would be cool to have a Java EE specific token
>> format.
>
> using Java EE to implement OAuth2 is an implementation detail, so I'm
> not sure there's any scope for getting something JavaEE specific into
> the protocol
>

Its not an implementation detail because OAuth2 does not define a token
format AFAICT.

something like this:

{
    "user" : "bill"
    "roles" : [ "admin" ]
    "permissions" : "blah"
}

There's no interoperability in OAuth 2 because the token format is
undefined. I'm just saying define a token format for Java EE and any
OAuth2 extensions we might perceive a need for.

>>
>> There does seem to be a registry defined in the OAuth2 RFC.
>>
>> FYI, Eran Hammer, the previous lead, quit OAuth2 and ranted like crazy:
>>
>> http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
>>
>
> Does not mean OAuth2 is totally broken
>

I like that they left the token format open. At first glance they also
made the protocol very browser centric.
-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com