Hi Lucasz 2010/8/13 Łukasz Moreń <[email protected]>
> Hi Sergey, > > I've added some improvements to demo and protocol implementation. > I hope this time build will be fine. > > I've had no problems building this time. Thanks for sorting the build issues out. The only minor hitch is that I had to add <relativePath>../../pom.xml</relativePath> to both oauth client & server demo modules in order to build them. Not sure if I could've built them by running 'mvn install' from samples directly (in distribution/target/.../samples) given that we also have to use -Pspring3. Not a big issue - please recheck just in case... So I've started server and client web apps and run the demo easily. So it's all nearly there, and IMHO the project is in a good shape, as far as GSOC is concerned. Hopefully you can continue on preparing it to the move to the trunk :-) Here're some comments to the existing demo - see if you could do anything till 16th, if not then it can be dealt with later on. The client registration form requires a user to register a callback URI. But I understand that a callback URI is only provided by a client, when requesting a temp/request token ? That said, requiring what I'd call a 'connect' or "reply-to" URI registered during the (secure) client registration process may help with enforcing that the actual callback URI provided by the client *matches* the one provided at the registration, using a startsWith function. I've seen it in the Facebook docs and I also did something similar in my own project - is this the idea ? If yes - then please check it's a startsWith check that is used - but also consider making providing a callback URI optional at the client registration time. The other thing is that a client key is also generated. This is probably correct but I'm wondering would it make sense to let the consumer register its own key but the authorization server to only generate the shared secret. Consumer might also want to optionally provide its description such as "OAuth 1.0 client" as in the demo, etc. This might make it a bit simpler for a client (i.e, it will only have to manage a shared secret). In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0 like thing where HTTPS is assumed ? I'd just consider removing this option and have only hmac-sha1 left. This is probably it so far. I'm not very excited about JSPs being used in the demo :-) but I guess it is not too bad and shows something that many people would consider doing in practice. Overall it is a really good effort toward helping CXF users to start/experiment with OAuth. Thanks Sergey Cheers, > Lukasz > > 2010/8/13 Sergey Beryozkin <[email protected]> > > > Hi Łukasz > > > > I can see the merges flowing :-), I'll be reviewing your work tonight; > > > > to the list : we've exchanged few private emails to do with build issues > I > > was encountering and Łukasz > > addressed them fast; we also agreed that for the initial phase making a > > demo easy to understand and build upon was the main goal... > > > > cheers, Sergey > > > > 2010/8/5 Sergey Beryozkin <[email protected]> > > > > > Hi Łukasz > > > > > > can you please fix checkstyle errors in the demo... > > > Re the callback uri : I think one of the providers on the server is > > > configured with the callback URI > > > > > > thanks, Sergey > > > > > > > > > 2010/8/2 Łukasz Moreń <[email protected]> > > > > > > > > > >> > Please update the demo so that the consume > > >> > > >> registers itself, plus supplies a callback itself with a request token > > >> > request > > >> > > >> > > >> callback url is passed in this request, however this request is done > in > > >> backend through URLConnection so it's not visible at UI. > > >> > > >> Cheers, Lukasz > > >> > > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń < > > >> [email protected] > > >> > napisał: > > >> > > >> > Hi, > > >> > I've committed changes I've made: > > >> > - added possibility to register new OAuth client applications at > OAuth > > >> > server > > >> > - OAuth demos moved to distribution\src\main\samples\ > > >> > - added README to OAuth demos > > >> > - fixes in pom.xml files > > >> > > > >> > - fix the checkstyle errors and move the demo to the > > >> > > > >> > ""distribution/src/main/release/samples/"" area and also add Readme; > > >> after > > >> > > > >> > building the distribution (mvn install in trunk/distribution) you > can > > >> >> easily > > >> > > > >> > verify the demo can be run by locating in the target. > > >> > > > >> > > > >> > fixed that, and added readme > > >> > > > >> > > > >> >> - add the oauth dependency in the parent pom so that the rs/oauth > > >> module > > >> >> can > > >> > > > >> > depend on it without specifying a version and have the demo client > > >> module > > >> > > > >> > depending on rt/rs/oauth module instead (similarly to the server > one) > > >> > > > >> > > > >> > done, hovewer demo client don't need to depend on rt/rs/oauth as it > > >> doesn't > > >> > use cxf functionality, just on oauth libraries > > >> > > > >> > > > >> >> - during the main build please use the Spring version CXF depends > > upon > > >> and > > >> > > > >> > use its -Pspring3 profile to build for the deployment into GAE > > >> > > > >> > > > >> > changed, both client and server demos needs to be build with > -Pspring3 > > >> for > > >> > local jetty run and GAE as well. > > >> > Otherwise I would need use different spring config files for spring > > 2.5 > > >> and > > >> > 3.0.x > > >> > > > >> > Cheers, Lukasz > > >> > > > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin < > > >> > [email protected]> napisał: > > >> > > > >> > Hi > > >> >> > > >> >> 2010/7/29 Łukasz Moreń <[email protected]> > > >> >> > > >> >> > Hi, > > >> >> > > > >> >> > I'm still working on refactoring and changes in demo you > suggested. > > >> >> > I will likely update it tomorrow. > > >> >> > > > >> >> > I'll likely ask for some modifications but perhaps if you could > > start > > >> >> with > > >> >> > > updating the demo > > >> >> > > > >> >> > such that a consumer initiates its own registration with the > OAuth > > >> >> server. > > >> >> > > > >> >> > > > >> >> > I'm going to put high effort on my GSoC project next weeks. I > would > > >> >> really > > >> >> > appreciate, > > >> >> > if you would have some more modifications requests/directions > which > > >> >> project > > >> >> > should go, as you have limited time next week > > >> >> > and current changes will not take long. > > >> >> > > > >> >> > From what I'm seeing, I need to cover spec with code, simplify > > >> >> > configuration > > >> >> > and do more testing. > > >> >> > > > >> >> > > > >> >> I have to sign off now...Please update the demo so that the > consumer > > >> >> registers itself, plus supplies a callback itself with a request > > token > > >> >> request, add README and it would let users start experimenting. > IMHO > > >> the > > >> >> initial phase can be considered complete once there's a demo there > > >> which > > >> >> can > > >> >> show users what they need to do. > > >> >> > > >> >> We can then discuss things further > > >> >> > > >> >> cheers, Sergey > > >> >> > > >> >> > > >> >> > > >> >> > Cheers, > > >> >> > Lukasz > > >> >> > > > >> >> > 2010/7/29 Daniel Kulp <[email protected]> > > >> >> > > > >> >> > > > > >> >> > > You probably just need to change your deps to: > > >> >> > > > > >> >> > > geronimo-servlet_3.0_spec > > >> >> > > > > >> >> > > > > >> >> > > Dan > > >> >> > > > > >> >> > > > > >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote: > > >> >> > > > Hi Lucasz > > >> >> > > > > > >> >> > > > I can't build the oauth sandbox project, seeing > > >> >> > > > [ERROR] FATAL ERROR > > >> >> > > > [INFO] > > >> >> > > > > > >> >> > > > >> > ------------------------------------------------------------------------ > > >> >> > > > [INFO] Error building POM (may not be this project's POM). > > >> >> > > > > > >> >> > > > > > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth > > >> >> > > > POM Location: > > >> >> > > > > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml > > >> >> > > > Validation Messages: > > >> >> > > > > > >> >> > > > [0] 'dependencies.dependency.version' is missing for > > >> >> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar > > >> >> > > > > > >> >> > > > > > >> >> > > > Reason: Failed to validate POM for project > > >> >> > org.apache.cxf:cxf-rt-rs-oauth > > >> >> > > > at > > >> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml > > >> >> > > > > > >> >> > > > so I can not review the latest merge, sorry. I could've tried > > to > > >> fix > > >> >> > this > > >> >> > > > issue but I'm not sure if you're finished with the > refactoring > > >> just > > >> >> > yet. > > >> >> > > > I'll be travelling tomorrow and I'll have some very limited > > time > > >> >> during > > >> >> > > the > > >> >> > > > evenings next week but I'll try to provide some feedback at > > least > > >> >> > > > > > >> >> > > > cheers, Sergey > > >> >> > > > > > >> >> > > > > > >> >> > > > 2010/7/26 Sergey Beryozkin <[email protected]> > > >> >> > > > > > >> >> > > > > Hi Łukasz > > >> >> > > > > > > >> >> > > > > 2010/7/26 Łukasz Moreń <[email protected]> > > >> >> > > > > > > >> >> > > > > Hi Sergey, > > >> >> > > > > > > >> >> > > > >> I'm really sorry for such commit, I know it shouldn't > > happen. > > >> I > > >> >> > turned > > >> >> > > > >> off checkstyle as i couldn't configure it properly on > > intellij > > >> >> and > > >> >> > it > > >> >> > > > >> was annoying during development. > > >> >> > > > >> I will apply proper changes ASAP. > > >> >> > > > >> > > >> >> > > > >> no worries at all, I've broken the real builds with > > checkstyle > > >> >> > errors > > >> >> > > so > > >> >> > > > > > > >> >> > > > > many times and it is the CXF sandbox after :-) > > >> >> > > > > > > >> >> > > > >> According to the demo, I built it as usual web-app, if it > > >> worked, > > >> >> > use > > >> >> > > > >> this same sources to deploy on GAE. > > >> >> > > > >> However because of GAE restrictions it always needs minor > > >> changes > > >> >> > > > >> before deploy, i.e. GAE can't read configuration files > such > > >> as: > > >> >> > > > >> cxf-extension-http.xml > > >> >> > > > >> from jars, so I copied it to WEB-INF folder. > > >> >> > > > >> Commited to svn version does not depend on GAE SDK and can > > be > > >> run > > >> >> > > > >> locally with jetty:run. > > >> >> > > > >> > > >> >> > > > >> Yes, I warned about server configuration part:). I will > take > > >> care > > >> >> to > > >> >> > > > >> make it simpler. > > >> >> > > > > > > >> >> > > > > I do not think it is too complicated - the simplification > can > > >> be > > >> >> done > > >> >> > > > > once the whole flow is sound... > > >> >> > > > > > > >> >> > > > >> So far, oauth consumer properties are hardcoded and > injected > > >> into > > >> >> > > > >> oauth provider, as I think it is not oauth library > > >> responsibility > > >> >> to > > >> >> > > > >> deal with consumer registration. > > >> >> > > > >> Hovewer for demo it would be good to have something like > > that. > > >> I > > >> >> > would > > >> >> > > > >> do registration form at the server as it is done by > current > > >> big > > >> >> > oauth > > >> >> > > > >> implementations. > > >> >> > > > > > > >> >> > > > > I agree that conceptually the registration of consumers is > a > > >> >> separate > > >> >> > > > > issue. But it is part of the solution that users will be > > >> >> eventually > > >> >> > > > > offering so just showing them that the consumers have to go > > and > > >> >> > > register > > >> >> > > > > themselves with help people with coming up with some custom > > >> >> > > registration > > >> >> > > > > forms, etc. The registration does not have to be done at > the > > >> >> server > > >> >> > > > > hosting the resource, it is just important for the OAuth > > >> provider > > >> >> be > > >> >> > > > > able to get to the consumer details. I'm fine with assuming > > at > > >> the > > >> >> > > > > moment that the registration handler is collocated with the > > >> >> > > > > endpoints/providers enforcing OAuth flow. > > >> >> > > > > > > >> >> > > > > But the callback uri which is being injected at the moment > > >> should > > >> >> go > > >> >> > > > > anyway given that it is part of the actual flow, > > specifically, > > >> the > > >> >> > > > > consumer provides it during the request token request > > >> >> > > > > > > >> >> > > > >> Recently I've noticed that Camel have done oauth client as > > >> >> well:): > > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html > > >> >> > > > >> > > >> >> > > > >> Thanks much for review, and hints. > > >> >> > > > > > > >> >> > > > > thanks for your effort :-) > > >> >> > > > > > > >> >> > > > > Sergey > > >> >> > > > > > > >> >> > > > >> Cheers, > > >> >> > > > >> Lukasz > > >> >> > > > >> > > >> >> > > > >> 2010/7/24 Sergey Beryozkin <[email protected]>: > > >> >> > > > >> > Hi Łukasz > > >> >> > > > >> > > > >> >> > > > >> > Sorry for a delay, I should've come back earlier to > you. > > >> >> > > > >> > > > >> >> > > > >> > I've run the demo hosted at the app engine and I think > > from > > >> the > > >> >> > > > >> > > >> >> > > > >> education > > >> >> > > > >> > > >> >> > > > >> > point of view it is a good demo and it is handy one does > > not > > >> >> even > > >> >> > > has > > >> >> > > > >> > to build anything in order to try it. > > >> >> > > > >> > > > >> >> > > > >> > I've had a problem building the rt/rs/oauth tests - > > there's > > >> a > > >> >> > bunch > > >> >> > > of > > >> >> > > > >> > CheckStyle errors. Can you please build > sandbox/oauth_1.0a > > >> from > > >> >> > the > > >> >> > > > >> > > >> >> > > > >> trunk, > > >> >> > > > >> > > >> >> > > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn > > >> install' > > >> >> from > > >> >> > > > >> > > >> >> > > > >> rt/rs/ ? > > >> >> > > > >> > > >> >> > > > >> > One other thing, please move the demo to > > >> >> > > > >> > "distribution/src/main/release/samples/" as well add > > Readme > > >> to > > >> >> it. > > >> >> > > > >> > > > >> >> > > > >> > Also I can not build the demo too, the client build > fails > > >> with > > >> >> the > > >> >> > > > >> > > >> >> > > > >> following > > >> >> > > > >> > > >> >> > > > >> > dependency missing > > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527 > > >> >> > > > >> > > > >> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom, > have > > >> you > > >> >> > built > > >> >> > > it > > >> >> > > > >> > > >> >> > > > >> in > > >> >> > > > >> > > >> >> > > > >> > the GAE dev environment ? > > >> >> > > > >> > > > >> >> > > > >> > Can you please spend a bit of time on cleaning the build > a > > >> bit > > >> >> : > > >> >> > > > >> > - fix the checkstyle errors and move the demo to the > > >> >> > > > >> > ""distribution/src/main/release/samples/"" area and also > > add > > >> >> > Readme; > > >> >> > > > >> > > >> >> > > > >> after > > >> >> > > > >> > > >> >> > > > >> > building the distribution (mvn install in > > >> trunk/distribution) > > >> >> you > > >> >> > > can > > >> >> > > > >> > > >> >> > > > >> easily > > >> >> > > > >> > > >> >> > > > >> > verify the demo can be run by locating in the target. > > >> >> > > > >> > - add the oauth dependency in the parent pom so that the > > >> >> rs/oauth > > >> >> > > > >> > module > > >> >> > > > >> > > >> >> > > > >> can > > >> >> > > > >> > > >> >> > > > >> > depend on it without specifying a version and have the > > demo > > >> >> client > > >> >> > > > >> > > >> >> > > > >> module > > >> >> > > > >> > > >> >> > > > >> > depending on rt/rs/oauth module instead (similarly to > the > > >> >> server > > >> >> > > one) > > >> >> > > > >> > - during the main build please use the Spring version > CXF > > >> >> depends > > >> >> > > upon > > >> >> > > > >> > > >> >> > > > >> and > > >> >> > > > >> > > >> >> > > > >> > use its -Pspring3 profile to build for the deployment > into > > >> GAE > > >> >> > > > >> > > > >> >> > > > >> > As far as the demo is concerned. I looked at the server > > part > > >> >> and > > >> >> > it > > >> >> > > > >> > > >> >> > > > >> looks > > >> >> > > > >> > > >> >> > > > >> > complicated enough :-) but I think it makes sense to me. > > >> I'll > > >> >> > likely > > >> >> > > > >> > ask > > >> >> > > > >> > > >> >> > > > >> for > > >> >> > > > >> > > >> >> > > > >> > some modifications but perhaps if you could start with > > >> updating > > >> >> > the > > >> >> > > > >> > demo such that a consumer initiates its own registration > > >> with > > >> >> the > > >> >> > > > >> > OAuth > > >> >> > > > >> > > >> >> > > > >> server : > > >> >> > > > >> > I can see at the moment an oauth provider is injected > with > > >> some > > >> >> > > sample > > >> >> > > > >> > consumer properties. I'm not sure what is the best way > to > > do > > >> it > > >> >> : > > >> >> > > may > > >> >> > > > >> > be > > >> >> > > > >> > > >> >> > > > >> the > > >> >> > > > >> > > >> >> > > > >> > server can return a registration form or the client can > > just > > >> >> push > > >> >> > > the > > >> >> > > > >> > registration info itself. > > >> >> > > > >> > > > >> >> > > > >> > Overall I think it is a good progress indeed especially > > >> given > > >> >> the > > >> >> > > > >> > > >> >> > > > >> complexity > > >> >> > > > >> > > >> >> > > > >> > of the whole effort. > > >> >> > > > >> > > > >> >> > > > >> > > > >> >> > > > >> > > > >> >> > > > >> > thanks, Sergey > > >> >> > > > >> > > > >> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń < > > >> >> > > [email protected] > > >> >> > > > >> > > > >> >> > > > >> >wrote: > > >> >> > > > >> >> Hi all, > > >> >> > > > >> >> > > >> >> > > > >> >> I have managed to create two sample OAuth aplications: > > >> >> > > > >> >> ordinary OAuth 1.0a client: > > >> >> http://www.oauthclient.appspot.com > > >> >> > > > >> >> and authorization server that uses CXF OAuth module: > > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com > > >> >> > > > >> >> > > >> >> > > > >> >> Both sample applications and changes in oauth library > are > > >> >> > commited > > >> >> > > in > > >> >> > > > >> >> sandbox. > > >> >> > > > >> >> > > >> >> > > > >> >> OAuth configuration in sample authorization server app > > >> looks a > > >> >> > bit > > >> >> > > > >> >> awfully but I think most of that can be hidden and done > > out > > >> of > > >> >> > > band. > > >> >> > > > >> >> There is still some areas in specification not covered > by > > >> >> > > > >> >> implementation, so I would like to take care of that in > > >> next > > >> >> > steps. > > >> >> > > > >> >> > > >> >> > > > >> >> Thanks in advance for some feedback. > > >> >> > > > >> >> > > >> >> > > > >> >> Cheers, > > >> >> > > > >> >> Lukasz > > >> >> > > > > >> >> > > -- > > >> >> > > Daniel Kulp > > >> >> > > [email protected] > > >> >> > > http://dankulp.com/blog > > >> >> > > > > >> >> > > > >> >> > > >> > > > >> > > > >> > > > > > > > > >
