On 04/19/2012 10:39 PM, Sam Hamilton wrote:
Hey Guys,
We are soon going to need OAuth support to allow external users to
log into OFBiz Ecommerce site, which I believe is similar in design
to openid. Just wondering if you considered using Apache Shiro
http://shiro.apache.org/ to help manage the different authentication
systems as plugins? If you are having to touch all those parts of
the framework is it worth thinking about changing the system to
something that already does this stuff out the box?
OAuth is not the same as OpenID. The former let's Application A access
the resources owned by User U. The latter allows Application A to
verify the identity of User U. They don't really align.
I've looked at OAuth, it has a *much* worse example api. So much worse,
that the 'library', if you could call it that, is barely more than a
series of abstract interfaces. Client/server code ends up implementing
*way* to much of the protocol itself.
Additionally, both OAuth and OpenID are suffering from *massive*
bit-rot. The specs are all several years old, software doesn't
implement the latest versions, etc. I had to patch the openid plugin
for wordpress to get it to actually work with OpenID 2.0, a spec
released over 4 years ago.
But I'm jaded.
