Hi All,
Awhile back JB created a Syncope issue for Syncope to support OAuth2.
I'd like to continue the discussion about it and understand better what
can it mean for Syncope to become OAuth2-aware.
So Syncope is a generic user identity management system. It offers a
front-end to DB systems where the user information is stored and allows
a controlled access to this data.
OAuth2 is primarily about a resource owner allowing a controlled access
to a 3rd party client (web server, mobile, etc) to this owner's
account/data. OAuth2 can be big enough but ultimately is is
AuthorizationServer (for supporting redirection based flows) +
AccessTokenServer (for issuing tokens in exchange for grants) + some
generic/core token validation.
OAuth2 server requires storing the info about human users that have
logged in into OAuth2 Server and authorized a 3rd party clients. 3rd
party clients need to be registered so these registrations need to be
kept too. Transient code grants as well as access tokens and or refresh
tokens need to be linked to the 3rd party registrations, human user
logins, and also kept in DB. OAuth2 server that provides
AuthorizationServer will most likely need SSO supported.
I can think of several ways Syncope might support OAuth2.
One is where Syncope provides an authorized access to some of its
functionality. It is not clear how it would work because AFAIK Syncope
has no notion of user-specific Syncope accounts for managing user
identities specific to those accounts only.
Another option is where Syncope becomes a generic OAuth2 server,
orthogonally/in addition to its current functionality. Its current
functionality (user identity management) can be a part of OAuth2 server
itself. One option here is to use a generic CXF code to support it.
I'm not sure what would be the best option for Syncope (as far its road
map is concerned), and if Syncope should keep doing the identity
management only.
Comments are welcome.
Thanks, Sergey
