> Kristoffer Gronowski [mailto:[email protected]] wrote: > > Hi John! > > I think it would be good to understand your use case better. > This API is between the Resource server and Authorization server. > I have been talking to the OAuth WG but they belive it is not that important > to have this interface standardized yet. So this is our own version since > there > is no standard one. > > I am not sure that it is this that you do want to do. > What kind of flow are you trying to do and I can guide you.
Hi, Kristoffer. Thanks for your response! OK, Background: We are implementing the Web Server flow right now. I have an existing Restlet-based resource server that I am adding OAuth to. Our Authorization server is being written by a different group, and they are using Spring Security's OAuth2 extension. When my resource server sends a token validation request to the authorization server, the validation request is in a format that the authorization server does not understand. OAuthAuthorizer.createValidationRequest() is encoding the OAuth scopes as a JSON array of strings. When the Spring library receives the validation request, it attempts to deserialize the request. The code to deserialize the JSON object is expecting a space-delimited string instead of an array of strings. My options: 1) I could override the behavior in the Restlet library. Because of the way OAuthAuthorizer is implemented, overriding createValidationRequest() is challenging. I would probably just have to duplicate the whole class. 2) I could override the deserialization code in the Spring OAuth library. This looks like it would be simpler. However, based on the draft OAuth2 standard that I have access to, it looks like the Spring folks are the ones who are handling this correctly. My question for you: It appears to me that the Restlet OAuth extension is not implementing the draft standard correctly. I'd like to understand why I'm mistaken? If I am mistaken, I'd still like to see OAuthAuthorizer.createValidationRequest() made easier to override. Perhaps it can be changed to protected access, rather than private? Thanks for your help! -------------------------- John Wismar Alldata Technology 916-478-3296 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2869456
