Hi Greg-
On 10/12/12 15:49, web-id wrote:
Greetings!
Newbie here..
I am interested in using cxf's Oauth 2 jar/lib for a provider
implementation.
thanks for the interest
My Qs. 1. I already have a SAML 2.0 IDP ; What is the easiest and the best
way to
introduce Oauth 2 and glue them together? really appreciate if anyone can
point me
in the right direction.
CXF has a service provider support for Web SSO:
http://cxf.apache.org/docs/saml-web-sso.html
Does your IDP support it too ? If yes then it will be the easiest way to
start, to get it all linked.
If it does not then we can think of using CXF Fediz.
Next please check the demo at
https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2.
The default implementation has all the parties (the client, the resource
server, OAuth services) collocated in the same container instance.
"saml-sso" has the same demo implemented but with all the parties
running in its own containers, on different ports. So we have the 3 web
apps for OAuth2 main parties, plus WebSSO RACS endpoint where IDP will
redirect the user after it has authenticated, plus IDP itself,
Shibboleth (and Kerberos) is used to authenticate the user...
Note, in the simple/default demo, the user login, say "[email protected]"
is used to link the current authenticated user to the resources this
user owns. This 'social.com' id is not necessarily the one the user will
enter when authenticating with the existing IDP, it can be something
different. So in the "saml-sso" version, the users logs in with say
"[email protected]" and also has a chance to enter an 'alias', say,
'barrym'.
The demo assumption is that the user will have this alias entered to
IDP, to get its own social.com login value completely different. So
after IDP redirects the user to RACS, this 'barrym' value will be
eventually available to SAML SSO filter protecting the endpoint which
will set the security context and after that the social.com
implementation will get it and check if the user with the given alias
exists or not...
I guess it can be further enhanced to actually also submit the alias to
Kerberos, but I thought it would go a bit too far for the purpose of the
demo :-)
2. A stand-alone Oauth 2 authorization provider implementation. Any pointers
on this too.
Have a look at the linked demo please, if you have any questions - let
me know please.
Cheers, Sergey
Thanks in advance.
-Greg
--
View this message in context:
http://cxf.547215.n5.nabble.com/Oauth-2-provider-lib-and-Qs-tp5719975.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
