On 02/09/12 12:26, mayankeagle wrote:
I like OAuth 1.0 and I find it pretty good and secure.
I agree it is well understood and is secure and it's been deployed,
hence it is important that CXF offers OAuth 1.0 support
I'm not sure what
changes they have done in OAuth 2.0 but I heard that they have eliminated
some of the steps in it and that doesn't sound equally secure to me.
Have a look at the latest draft:
http://tools.ietf.org/html/draft-ietf-oauth-v2.
For a main-stream authorization code flow, the step requiring a request
token acquisition is dropped.
I do not share the opinion it is not secure or that it's very difficult
to make it secure. It can be made nearly identical to OAuth 1.0 by using
a MAC token for example but can equally accommodate for different flows
and grants and tokens in a well-defined manner
I read
the blog of Eran Hammer, one of the leaders in designing the protocol in
which he mentioned that he does not favour OAuth 2.0 and even left the team
- http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
My recommendation is to listen to Eran who is well-known authority but
also do more analysis and keep an open eye on OAuth 2.0
What are your thoughts on the security provided by OAuth 2.0 and its
differences from OAuth 1.0? Just asking for your own opinion regarding the
two.
I'm not OAuth 2.0 expert - please check the OAuth 2.0 archives. I think
it is secure and can be made as secure as required. There's a
comprehensive security thread model, the holder of the key concept will
also be supported. I see OAuth2.0 going mainstream pretty soon
Cheers, Sergey
--
View this message in context:
http://cxf.547215.n5.nabble.com/OAuth-1-0-in-CXF-2-6-2-tp5713150p5713431.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
