I'm presuming the server code base is in java. (I've been lurking on here but haven't chatted much). But if you are going the OAuth route there are tons of existing libraries in a variety of languages that you can pull in.
http://oauth.net/code/ For java specifically, https://code.google.com/p/oauth/ or https://code.google.com/p/oauth-signpost/ would work well. Spring also has a library, though Spring is usually overkill unless you have other features from spring that you want/need. On Tue, Jun 3, 2014 at 10:59 AM, Randy Heiland <[email protected]> wrote: > Fwiw, here’s the draft document I mentioned below: > http://pages.iu.edu/~heiland/ctsc/BestPracticesforThriftClients_EvernoteUseCase.pdf > > I’d welcome any comments people might have. > > -Randy > > On Jun 3, 2014, at 9:05 AM, Marlon Pierce <[email protected]> wrote: > >> Hi Randy-- >> >> Yes, I mean "Evernote" in the next to the last paragraph--Evernote does >> not have the same mulitenanted use case. >> >> I'm looking forward to your document, but I'm also at a conference this >> week and want to have a few thoughts in mind for my presentation in case >> anyone is interested. >> >> Marlon >> >> On 6/3/14 11:00 AM, Randy Heiland wrote: >>> Marlon, >>> >>> In your last paragraph, you mean “Evernote...” and not “Thrift also has…” - >>> correct? >>> >>> I believe you’re correct in your Thrift over HTTP for Evernote assumption, >>> based on this: >>> http://mail-archives.apache.org/mod_mbox/incubator-thrift-dev/201005.mbox/%[email protected]%3E >>> >>> I actually have a doc to share with your team shortly regarding >>> Evernote/Thrift that we did as part of our (CTSC) engagement with you. And >>> I have some follow-on questions that I’ll contact you about offline. >>> >>> -Randy >>> >>> On Jun 3, 2014, at 2:33 AM, Marlon Pierce <[email protected]> wrote: >>> >>>> This email is intended to introduce some security discussion. >>>> >>>> One of the advantages of Thrift is the ability it will give us to >>>> integrate native-language SDKs with desktop clients. This requires >>>> though that we will need to think through our security model. In the >>>> usual browser-based use case, the user does not make direct calls to the >>>> API. These come instead from the gateway server, and we can establish a >>>> trust relationship (such as SSL mutual authentication). >>>> >>>> For the desktop client case, users make direct calls to the Airavata API >>>> server, so we have three actors: the desktop application, the API >>>> Server, and an auth service. The Auth service performs initial >>>> authentication of the user; it is a service that is gateway-dependent. >>>> Without going into too many details, OAuth is the usual protocol for >>>> doing this. Evernote, in their Thrift API, provides this as an option. >>>> >>>> Evernote (from what I can tell) uses Thrift over HTTP, or at least uses >>>> an HTTP proxy. If we stay with TCP/IP Thrift services in Airavata, >>>> does this mean we need to implement OAuth ourselves? >>>> >>>> Thrift also has a different use case in that they are not a >>>> multi-tenanted service: they own all the accounts that they >>>> authenticate. In contrast, a single Airavata server may support several >>>> unrelated gateways. Each gateway would manage its own user accounts. >>>> >>>> What are the best options for Airavata? >>>> >>>> >>>> Marlon >>>> >> > -- Samir Faci *insert title* fortune | cowsay -f /usr/share/cows/tux.cow Sent from my non-iphone laptop.
