Hey Sergey,
Sounds awesome, the time to deprecate OAuth1 will certainly come :-)
Thanks a lot!
Best Regards,
Andriy Redko
SB> Hi Andriy
SB> Thanks, interesting to hear you are seeing quite a bit of life is left
SB> in OAuth1 (it was indeed a real innovation at a time).
SB> I did have some doubts about whether to include this module or not.
SB> Some modules (ex, Corba related), are indeed much older, but they are
SB> actually used these days so obviously I could not even offer for them be
SB> dropped.
SB> I haven't heard anything about OAuth1 recently from CXF users but
SB> may be it is a sign that what already works is just working.
SB> In the end of the day, it is a first try for us to clean up CXF a bit.
SB> I'm happy enough to keep this module given your concern. I'll add it to
SB> the list when we start a similar discussion in CXF 4.0 (whenever it
SB> comes :-))
SB> Sergey
SB> On 03/09/16 00:23, Andriy Redko wrote:
>> Hey Sergey,
>> You are very right, OAuth2 is certainly step forward, unfortunately
>> this days OAuth1 is still used (have day by day examples of that). Great
>> talk, as always, thanks a lot for the slides, looking into them!
>> Thanks!
>> Best Regards,
>> Andriy Redko
>> *SB> Hi Andriy
>> SB> Just something I'd like to clarify re CXF OAuth1 module. I was a mentor
>> SB> for the original GSOC project and spent quite a bit of time with it
>> SB> afterwards too.
>> SB> After spending even more time with OAuth2 I see OAuth2
>> SB> being actually simpler for a classical case originally covered by
>> OAuth1
>> SB> - one less roundtrip. It is more secure and this work is ongoing.
>> OAuth2
>> SB> got a lot of bad press after an exit of the OAuth1 author but a lot of
>> SB> that was originating from the users who either did not quite understand
>> SB> OAuth2 or were looking at the buggy implementations of Implicit
>> Flow, etc.
>> SB> These days Oauth2 is huge. But of you drill down into it and try to
>> SB> address a classical case it is simpler. And OAuth2 (with OIDC) will let
>> SB> one to scale to covering much more sophisticated cases. I'm definitely
>> SB> not planning to put more effort into CXF OAuth1 - and new users should
>> SB> be discouraged from trying it because they will go not far with it.
>> SB> I did this talk few years back:
>> *SB>
>> http://events.linuxfoundation.org/sites/events/files/slides/ApacheEuCxfOauthHawk.pdf
>> <http://events.linuxfoundation.org/sites/events/files/slides/ApacheEuCxfOauthHawk.pdf>
>> *SB> But as far as this module is concerned it has got a fair bit of
>> SB> attention a couple of years back. The last change I did there was 2
>> SB> years back. But I can accept someone is still using CXF OAuth1 client
>> SB> code against some OAuth1 server and more likely - protects CXF Server
>> SB> with CXF OAuth1 filter against some 3rd party OAuth1 client.
>> SB> Cheers, Sergey
>> SB> On 02/09/16 17:31, Sergey Beryozkin wrote:
>>>> Hi Andriy
>>>> Yeah, I just wanted to show I'm ready to depart with some of RS modules
>>>> too :-). You are right though, likely some existing integrations are
>>>> still around.
>>>> Sergey
>>>> On 02/09/16 17:27, Andrey Redko wrote:
>>>>> Hey Sergey,
>>>>> Great undertaking I think! From my side, I would put -1 to oauth module.
>>>>> You are right, technically it is old spec but it is still
>>>>> used widely (mostly because it is much simple to integrate comparing to
>>>>> oauth2 f.e.).
>>>>> Thanks.
>>>>> Best Regards,
>>>>> Andriy Redko
>>>>> On Fri, Sep 2, 2016 at 12:07 PM, Sergey Beryozkin <*[email protected]
>>>>> <mailto:[email protected]>*>
>>>>> wrote:
>>>>>> Hi
>>>>>> CXF module base continues to grow - a lot of modules is available, with
>>>>>> some of these modules being obsolete and never used.
>>>>>> I'd like to propose to drop some of these modules in 3.2.0-SNAPSHOT to
>>>>>> make the builds faster, the workspaces smaller and new users less
>>>>>> overwhelmed :-). Once we agree on the final list I can remove them
>>>>>> but as
>>>>>> soon as we have at least a single user requesting the module back
>>>>>> we'll put
>>>>>> it back in 3.2.1. But in meantime we should give this clean-up a try
>>>>>> :-).
>>>>>> The proposed list is below. Dan, others, please add -1 under any item
>>>>>> you
>>>>>> feel like worth keeping (but note we will put any removed module back in
>>>>>> 3.2.1 or later whenever it is needed again):
>>>>>> 1. rt/management-web
>>>>>> I was the one who added it, it was based on a GSOC project and I do
>>>>>> think
>>>>>> it is a unique project (users can see logging events in Atom
>>>>>> readers), Aki
>>>>>> did some good work around it a couple of years back, but I haven't
>>>>>> seen any
>>>>>> user actually asking questions or trying to use it.
>>>>>> Thus it should go. I'll be the 1st one who will put it back if someone
>>>>>> will want to push it further.
>>>>>> 2. rt/rs/security/oauth-parent/oauth
>>>>>> This module supports Oauth1 and is also based on the GSOC project.
>>>>>> Removing it might be a bit sensitive as some users did use it few years
>>>>>> back. But OAuth1 is technically deprecated and Oauth2 is now widely
>>>>>> deployed which is where we put a lot of effort into in CXF. I haven;t
>>>>>> heard
>>>>>> any queries about it for the last few years.
>>>>>> 3. maven-plugin/archetypes: Maven JAXWS and JAXRS prototypes. Can
>>>>>> they be
>>>>>> really useful to anyone ? May be we can drop them and put back if
>>>>>> needed.
>>>>>> 4. integration/jca - I don't even remember what JCA means :-). I vaguely
>>>>>> recall it was some old container spec ?
>>>>>> 5. rt/bindings/object
>>>>>> I think I recall Dan explaining awhile back it is a more advanced
>>>>>> version
>>>>>> of coloc but I don't think it has ever been used by CXF users ?
>>>>>> 6. rt/databindings/jibx
>>>>>> I believe JIBX has not been maintained for many years now, if yes
>>>>>> then
>>>>>> lets let it go
>>>>>> 7. systests/jibx
>>>>>> 8. rt/databindings/sdo
>>>>>> I know it was added on request from one of our previous employers,
>>>>>> which was awhile back. Not sure if we need to keep it though
>>>>>> 9. rt/databindings/xmlbeans
>>>>>> Not sure if it is still needed. Looks like SOAP users do JAXB,
>>>>>> occasionally - Aegis
>>>>>> 10. services/wsn ?
>>>>>> 11. rt/ws/eventing ?
>>>>>> 12. rt/ws/mex ?
>>>>>> This is it for now. Please provide the feedback, we can keep this thread
>>>>>> open for few weeks for sure
>>>>>> Thanks, Sergey
>>>>>> 10.
>> *
