Thanks for the explanation Adam - do you see worth in implementing one system which has plugins for OAuth, OpenID & LDAP etc over implementing each one individually plus the benefit of a larger security community maintaining the core security system?
Sam On 20 Apr 2012, at 12:08, Adam Heath wrote: > On 04/19/2012 10:39 PM, Sam Hamilton wrote: >> Hey Guys, >> >> We are soon going to need OAuth support to allow external users to >> log into OFBiz Ecommerce site, which I believe is similar in design >> to openid. Just wondering if you considered using Apache Shiro >> http://shiro.apache.org/ to help manage the different authentication >> systems as plugins? If you are having to touch all those parts of >> the framework is it worth thinking about changing the system to >> something that already does this stuff out the box? > > OAuth is not the same as OpenID. The former let's Application A access > the resources owned by User U. The latter allows Application A to > verify the identity of User U. They don't really align. > > I've looked at OAuth, it has a *much* worse example api. So much worse, > that the 'library', if you could call it that, is barely more than a > series of abstract interfaces. Client/server code ends up implementing > *way* to much of the protocol itself. > > Additionally, both OAuth and OpenID are suffering from *massive* > bit-rot. The specs are all several years old, software doesn't implement the > latest versions, etc. I had to patch the openid plugin for wordpress to get > it to actually work with OpenID 2.0, a spec released over 4 years ago. > > But I'm jaded.
smime.p7s
Description: S/MIME cryptographic signature
