Jérôme Thanks very much for the reply.
I agree that OAuth is for authorization. Its like the old song, "If you can't be with the one you love, love the one you're with". So, for easy login that people will use this seems to be the only game in town at the moment. From what I've seen OAuth 2 /is/ being sold as an identity/authentication solution. I'm not quite sure what you're saying about accessing data about the user. I've chosen to only access the Email, but could access other data. The issue here for me is that each provider returns data in a different format. So, a useful function of a library would be to provide a uniform API to the data returned (as far as possible). Is this something you do? Given that I'm interested only in identity I ask: "what should the best practices be and what's the simplest way to implement them?". It would be helpful to have a library available that lets me hook into Shiro for OAuth. My sample could lead to that with: (a) some interface classes to Shiro and (b) a login servlet and logout filter. I'd be much happier using someone else's code though! I'd be happy to use yours if the implementation effort is less. The other issue, which I'm still unclear about, is how secure is OAuth in practice compared to username/password? It looks pretty insecure to me, but I'm not at all well informed in this area. Tim -- View this message in context: http://shiro-user.582556.n2.nabble.com/OAuth-demo-tp7577850p7577853.html Sent from the Shiro User mailing list archive at Nabble.com.
