On Feb 9, 2010, at 3:34 PM, Marc Hadley wrote:
> On Feb 8, 2010, at 8:22 PM, Kevin Duffey wrote:
>>
>> I am looking to use OAuth for some public services I'd like to
>> offer eventually. I have read a bit about it, but wanted to see if
>> anyone on the list has successfully got it working, and if so would
>> mind providing a few pointers or code snippets on how you got it
>> working.
There are a couple of other people on the list using Jersey's OAuth
client/server filter support (and a bug was recently fixed in the
trunk). Perhaps developers using Jersey's OAuth modules can provide
some details?
>>
>> In particular I am looking at allowing a user to sign up on my site
>> as a consumer of my public APIs, request a token that they can then
>> use to authenticate any number of applications that they may write
>> that consume my APIs. I would like the use of this mechanism to
>> provide as much security as possible.
>>
>> I am also wondering if the two-legged or three-legged approach is
>> best with regards to REST services. If I understand correctly the
>> two-legged approach is best for making service calls, while the
>> three legged approach would be for something like a user allowing
>> another user to access some resource(s) of their's.. basically
>> giving them permission to access the services. I am still reading/
>> learning about OAuth tho, so I apologize if this is incorrect.
>>
> IIUC, the legged-ness is essentially the same as the number of
> parties in the process. Three legged OAuth allows a user (1st party)
> of a service (2nd party) to delegate access to the data held by that
> service to another 3rd party (often another service the user wants
> to link in). Two legged OAuth is essentially the same security
> mechanisms applied to a simpler 1-1 interaction.
>
>> Lastly regarding using OAuth, can I provide my own user database,
>> and from that use OAuth to retrieve tokens/secrets from the
>> incoming request, look them up myself, validate it, and so forth?
>> Or is it essential to have something like OpenSSO to validate
>> incoming OAuth requests? I know I can use Basic Auth right now with
>> my own tables and that works just fine. I am curious tho if Basic
>> Auth with say MD5 hash + SSL is "as good" or similar to using
>> OAuth... I've gotten the impression that OAuth is fast becoming the
>> industry standard way of handling secure authentication and/or
>> sharing resources tho, so hence why I am looking into it now.
>>
>> Thank you. Appreciate any pointers/help/examples of using it.
>>
> You don't *need* OpenSSO, I imagine it will just mean less coding
> for you if you use it.
Right, Jersey has support the client construction of the
Authentication header and server-side processing/verification of. It
does not supply an OAuth service (although a simple service might well
be something useful if anyone wants to contribute such a service).
Paul.
> I'm not sure exactly what you mean by Basic Auth with MD5 + SSL but
> generally I'd suggest sticking with any widely used approach - you
> clients will thank you if they don't have to roll another custom
> authn module.
>
> Marc.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>