On 28/04/2015 15:33, Sergey Beryozkin wrote:
Hi All,
Awhile back JB created a Syncope issue for Syncope to support OAuth2.
I'd like to continue the discussion about it and understand better
what can it mean for Syncope to become OAuth2-aware.
Hi Sergey,
FYI, we're talking about SYNCOPE-534: I've added this thread there as
reference.
So Syncope is a generic user identity management system. It offers a
front-end to DB systems where the user information is stored and
allows a controlled access to this data.
Syncope is a provisioning engine, whose main responsibility is to keep
synchronized data across several identity repositories, relying on
different technologies: relational databases, LDAP, CSV, SOAP / REST
services, ...
OAuth2 is primarily about a resource owner allowing a controlled
access to a 3rd party client (web server, mobile, etc) to this owner's
account/data. OAuth2 can be big enough but ultimately is is
AuthorizationServer (for supporting redirection based flows) +
AccessTokenServer (for issuing tokens in exchange for grants) + some
generic/core token validation.
OAuth2 server requires storing the info about human users that have
logged in into OAuth2 Server and authorized a 3rd party clients. 3rd
party clients need to be registered so these registrations need to be
kept too. Transient code grants as well as access tokens and or
refresh tokens need to be linked to the 3rd party registrations, human
user logins, and also kept in DB. OAuth2 server that provides
AuthorizationServer will most likely need SSO supported.
I can think of several ways Syncope might support OAuth2.
One is where Syncope provides an authorized access to some of its
functionality. It is not clear how it would work because AFAIK Syncope
has no notion of user-specific Syncope accounts for managing user
identities specific to those accounts only.
Another option is where Syncope becomes a generic OAuth2 server,
orthogonally/in addition to its current functionality. Its current
functionality (user identity management) can be a part of OAuth2
server itself. One option here is to use a generic CXF code to support
it.
I'm not sure what would be the best option for Syncope (as far its
road map is concerned), and if Syncope should keep doing the identity
management only.
As said above, Syncope is at the moment a provisioning engine, but its
roadmap [1] contains - for the late future, however, e.g. from 3.0.0
onwards - various authentication and access management features.
Within this respect, embedding some OAuth2 features - e.g. the second
option above - looks as a nice addition.
FYI I had some experience in building an OAuth2 server via CXF for
Olingo [2], and I've always thought that such approach could have been
used - with needed context modifications - with Syncope. WDYT?
Regards.
[1] https://cwiki.apache.org/confluence/display/SYNCOPE/Roadmap
[2]
https://github.com/apache/olingo-odata4/blob/master/fit/src/main/java/org/apache/olingo/fit/rest/OAuth2Provider.java
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
