[jira] Commented: (SHINDIG-897) Add 3-legged OAuth validation support for RESTful api

Fri, 06 Feb 2009 11:07:57 -0800 

    [ 
https://issues.apache.org/jira/browse/SHINDIG-897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12671248#action_12671248
 ] 

Cassie Doll commented on SHINDIG-897:
-------------------------------------

Overall, I think this patch is a step in the right direction, but there are 
still some things we should fix here: 

1. the xoauth_requestor_id is not a required field for 3 legged oauth. For 3 
legged oauth tokens are user specific just because that is how oauth works. So, 
when the token is validated by a backing store, that store should be able to 
tell you who the third party app is, who the user who owns the token is, and 
what access the token has. 

2. Anything in the Sample* directory is meant to be a sample only. We recommend 
that that code is not really desired for reuse etc etc. You have put some 
generic OAuth validation code into SampleContainerOAuthLookupService. I think 
that code should be pushed up to the AuthHandler (or something else not in the 
sample dir) because all containers can use it equally well. 

3. It might be cleaner to put 3 legged support and 2 legged support into 2 
different oauth handlers. (And to later add another auth handler for 
unregistered oauth 3 legged support) This way containers can pick and choose 
what they want. 

4. I think it would be helpful for the sample container to actually issue 3 
legged oauth tokens and store them in the jsondb. That way shindig could right 
off the bat go through an entirely real flow for oauth. 


I'm going to try and build off of your patch for some of this and will post 
some new code to this issue soon.

> Add 3-legged OAuth validation support for RESTful api
> -----------------------------------------------------
>
>                 Key: SHINDIG-897
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-897
>             Project: Shindig
>          Issue Type: Improvement
>          Components: RESTful API (Java)
>            Reporter: Jacky Wang
>            Priority: Minor
>         Attachments: add-3-legged-oauth.patch, 
> supports-3-legged-oauth-validation.patch
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> RESTful API now supports 2-legged OAuth, and we'd like to see it supports 
> validation for requests issued by 3-legged OAuth client.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to