Yes, it helps. For me it looks good to associate permissions and scope with access token. I think I will do something similar in cxf.
Btw, I've updated resteasy recently and saw changes in oauth module.:) Cheers, Lukasz 2010/8/18 Sergey Beryozkin <sberyoz...@gmail.com> > Hi Łukasz > > 2010/8/16 Łukasz Moreń <lukasz.mo...@gmail.com> > > > Hi, > > > > I've made changes in demo according to your comments. > > > > thanks. > > > > I will do 'gsoc' tag on my branch to distinguish current gsoc work from > > future changes, as today is 'firm pencil down' date. > > > > ok. > > > > I would like to do additional changes in oauth module. > > > > nice :-). > > > > Access token should be connected with some kind of 'scope' that specifies > > a range of resources it allows to access or operations to invoke. > > > > For example in RestEasy implementation access token is associated with > set > > of principal roles. > > If there is valid access token in the request, oauth filter set user > roles > > associated with token to ServletRequest and let pass it further. > > > > I'm wondering how it can be done in cxf. I would appreciate some help on > > that. > > > > > Believe it or not but I've changed all that as part of the work I've been > doing recently. > Specifically, I've removed the association of roles & principal with access > tokens. > Instead I've introduced permissions which is really what can be requested > by > a consumer and publicly > shown to the end user, example, "Are you ok with letting 3rd party consumer > "doSomething" with your resources" ?. where "doSometing" can be pretty much > any expression like "updateYourAlbom", etc, while roles could be "user", > etc. > > It is then a job of filters/login modules/etc to convert permissions into > the actual roles, as well as retrieve an authenticated Principal. > > I've also added "scopes" which are URIs, which I 'borrowed' from the Google > docs. Example, a consumer may request a permission to "doSomething" at > http://bar. If authorized it can access http://bar, http://bar/1, > http://bar/2 > > Does it help ? Any comments ? > > cheers, Sergey > > > Cheers, > > Lukasz > > > > 2010/8/14 Łukasz Moreń <lukasz.mo...@gmail.com> > > > > > Hi Sergey, > > > > > > Thanks for feedback. More comments below. > > > > > > 2010/8/13 Sergey Beryozkin <sberyoz...@gmail.com> > > > > > >> Hi Lucasz > > >> > > >> > > >> 2010/8/13 Łukasz Moreń <lukasz.mo...@gmail.com> > > >> > > >> > Hi Sergey, > > >> > > > >> > I've added some improvements to demo and protocol implementation. > > >> > I hope this time build will be fine. > > >> > > > >> > > > >> I've had no problems building this time. Thanks for sorting the build > > >> issues > > >> out. > > >> The only minor hitch is that I had to add > > >> <relativePath>../../pom.xml</relativePath> > > >> to both oauth client & server demo modules in order to build them. Not > > >> sure > > >> if I could've built them by running > > >> 'mvn install' from samples directly (in > > distribution/target/.../samples) > > >> given that we also have to use -Pspring3. Not a big issue - please > > recheck > > >> just in case... > > >> > > > > > > Yes, I think I need to add relativePath to pom. > > > > > > > > >> > > >> So I've started server and client web apps and run the demo easily. So > > >> it's > > >> all nearly there, and IMHO the project is in a good shape, as far as > > GSOC > > >> is > > >> concerned. Hopefully you can continue on preparing it to the move to > the > > >> trunk :-) > > >> > > >> Here're some comments to the existing demo - see if you could do > > anything > > >> till 16th, if not then it can be dealt with later on. > > >> > > >> > > > I will try do to as much as possible till 16-th. There is still plenty > to > > > do as I see from your commnets and > > > myself so missing things I will add later. > > > > > > > > > > > >> The client registration form requires a user to register a callback > URI. > > >> But > > >> I understand that a callback URI is only provided by a client, when > > >> requesting a temp/request token ? That said, requiring what I'd call a > > >> 'connect' or "reply-to" URI registered during the (secure) client > > >> registration process may help with enforcing that the actual callback > > URI > > >> provided by the client *matches* the one provided at the registration, > > >> using > > >> a startsWith function. I've seen it in the Facebook docs and I also > did > > >> something similar in my own project - is this the idea ? > > >> > > > If yes - then please check it's a startsWith check that is used - but > > also > > > > > > consider making providing a callback URI optional at the client > > >> registration > > > > > > time > > > > > > > > > Yes, i used it for that reason. It can be jus passed with request token > > > request. All current OAuth 1.0 servers I've seen need to preregister > > > callback URI, > > > and as you said they check if both uri matches. > > > There is also possibility to pass 'oob' (out of band) value as callback > > URI > > > which means has been established via other means, > > > so then server use preregistered value. However I think this option is > > used > > > in case of native apps. > > > . > > > > > >> The other thing is that a client key is also generated. This is > probably > > >> correct but I'm wondering would it make sense to let the consumer > > register > > >> its own key but the authorization server to only generate the shared > > >> secret. > > >> Consumer might also want to optionally provide its description such as > > >> "OAuth 1.0 client" as in the demo, etc. This might make it a bit > > simpler > > >> for a client (i.e, it will only have to manage a shared secret). > > >> > > > > > > Yes I think it makes sense. So far consumer key is just hash from > > > application name and user who registers consumer. > > > > > > > > > > > >> In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0 > like > > >> thing where HTTPS is assumed ? I'd just consider removing this option > > and > > >> have only hmac-sha1 left. > > >> > > > > > > I think it's something similar, however there is no signatures in OAuth > > 2.0 > > > and access_token is assumed to be short lived, > > > ideally one per request, issuing new tokens is done by refresh_token > > > parameter. > > > > > > > > >> This is probably it so far. I'm not very excited about JSPs being used > > in > > >> the demo :-) but I guess it is not too bad and shows something that > many > > >> people would consider doing in practice. > > >> > > > > > > I was not sure about using JSP's neither:), but I wanted to show > > basically > > > how oauth could be added to existing apps > > > and hadn't other idea how to replace them. > > > > > > > > >> > > >> Overall it is a really good effort toward helping CXF users to > > >> start/experiment with OAuth. > > >> > > > > > > > > > Cheers, > > > Lukasz > > > > > > > > > > > >> > > >> Thanks > > >> > > >> Sergey > > >> > > >> > > >> Cheers, > > >> > Lukasz > > >> > > > >> > 2010/8/13 Sergey Beryozkin <sberyoz...@gmail.com> > > >> > > > >> > > Hi Łukasz > > >> > > > > >> > > I can see the merges flowing :-), I'll be reviewing your work > > tonight; > > >> > > > > >> > > to the list : we've exchanged few private emails to do with build > > >> issues > > >> > I > > >> > > was encountering and Łukasz > > >> > > addressed them fast; we also agreed that for the initial phase > > making > > >> a > > >> > > demo easy to understand and build upon was the main goal... > > >> > > > > >> > > cheers, Sergey > > >> > > > > >> > > 2010/8/5 Sergey Beryozkin <sberyoz...@gmail.com> > > >> > > > > >> > > > Hi Łukasz > > >> > > > > > >> > > > can you please fix checkstyle errors in the demo... > > >> > > > Re the callback uri : I think one of the providers on the server > > is > > >> > > > configured with the callback URI > > >> > > > > > >> > > > thanks, Sergey > > >> > > > > > >> > > > > > >> > > > 2010/8/2 Łukasz Moreń <lukasz.mo...@gmail.com> > > >> > > > > > >> > > > > > > >> > > >> > Please update the demo so that the consume > > >> > > >> > > >> > > >> registers itself, plus supplies a callback itself with a > request > > >> token > > >> > > >> > request > > >> > > >> > > >> > > >> > > >> > > >> callback url is passed in this request, however this request is > > >> done > > >> > in > > >> > > >> backend through URLConnection so it's not visible at UI. > > >> > > >> > > >> > > >> Cheers, Lukasz > > >> > > >> > > >> > > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń < > > >> > > >> lukasz.mo...@gmail.com > > >> > > >> > napisał: > > >> > > >> > > >> > > >> > Hi, > > >> > > >> > I've committed changes I've made: > > >> > > >> > - added possibility to register new OAuth client applications > > at > > >> > OAuth > > >> > > >> > server > > >> > > >> > - OAuth demos moved to distribution\src\main\samples\ > > >> > > >> > - added README to OAuth demos > > >> > > >> > - fixes in pom.xml files > > >> > > >> > > > >> > > >> > - fix the checkstyle errors and move the demo to the > > >> > > >> > > > >> > > >> > ""distribution/src/main/release/samples/"" area and also add > > >> Readme; > > >> > > >> after > > >> > > >> > > > >> > > >> > building the distribution (mvn install in trunk/distribution) > > you > > >> > can > > >> > > >> >> easily > > >> > > >> > > > >> > > >> > verify the demo can be run by locating in the target. > > >> > > >> > > > >> > > >> > > > >> > > >> > fixed that, and added readme > > >> > > >> > > > >> > > >> > > > >> > > >> >> - add the oauth dependency in the parent pom so that the > > >> rs/oauth > > >> > > >> module > > >> > > >> >> can > > >> > > >> > > > >> > > >> > depend on it without specifying a version and have the demo > > >> client > > >> > > >> module > > >> > > >> > > > >> > > >> > depending on rt/rs/oauth module instead (similarly to the > > server > > >> > one) > > >> > > >> > > > >> > > >> > > > >> > > >> > done, hovewer demo client don't need to depend on rt/rs/oauth > > as > > >> it > > >> > > >> doesn't > > >> > > >> > use cxf functionality, just on oauth libraries > > >> > > >> > > > >> > > >> > > > >> > > >> >> - during the main build please use the Spring version CXF > > >> depends > > >> > > upon > > >> > > >> and > > >> > > >> > > > >> > > >> > use its -Pspring3 profile to build for the deployment into > GAE > > >> > > >> > > > >> > > >> > > > >> > > >> > changed, both client and server demos needs to be build with > > >> > -Pspring3 > > >> > > >> for > > >> > > >> > local jetty run and GAE as well. > > >> > > >> > Otherwise I would need use different spring config files for > > >> spring > > >> > > 2.5 > > >> > > >> and > > >> > > >> > 3.0.x > > >> > > >> > > > >> > > >> > Cheers, Lukasz > > >> > > >> > > > >> > > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin < > > >> > > >> > sberyoz...@gmail.com> napisał: > > >> > > >> > > > >> > > >> > Hi > > >> > > >> >> > > >> > > >> >> 2010/7/29 Łukasz Moreń <lukasz.mo...@gmail.com> > > >> > > >> >> > > >> > > >> >> > Hi, > > >> > > >> >> > > > >> > > >> >> > I'm still working on refactoring and changes in demo you > > >> > suggested. > > >> > > >> >> > I will likely update it tomorrow. > > >> > > >> >> > > > >> > > >> >> > I'll likely ask for some modifications but perhaps if you > > >> could > > >> > > start > > >> > > >> >> with > > >> > > >> >> > > updating the demo > > >> > > >> >> > > > >> > > >> >> > such that a consumer initiates its own registration with > the > > >> > OAuth > > >> > > >> >> server. > > >> > > >> >> > > > >> > > >> >> > > > >> > > >> >> > I'm going to put high effort on my GSoC project next > weeks. > > I > > >> > would > > >> > > >> >> really > > >> > > >> >> > appreciate, > > >> > > >> >> > if you would have some more modifications > > requests/directions > > >> > which > > >> > > >> >> project > > >> > > >> >> > should go, as you have limited time next week > > >> > > >> >> > and current changes will not take long. > > >> > > >> >> > > > >> > > >> >> > From what I'm seeing, I need to cover spec with code, > > simplify > > >> > > >> >> > configuration > > >> > > >> >> > and do more testing. > > >> > > >> >> > > > >> > > >> >> > > > >> > > >> >> I have to sign off now...Please update the demo so that the > > >> > consumer > > >> > > >> >> registers itself, plus supplies a callback itself with a > > request > > >> > > token > > >> > > >> >> request, add README and it would let users start > > experimenting. > > >> > IMHO > > >> > > >> the > > >> > > >> >> initial phase can be considered complete once there's a demo > > >> there > > >> > > >> which > > >> > > >> >> can > > >> > > >> >> show users what they need to do. > > >> > > >> >> > > >> > > >> >> We can then discuss things further > > >> > > >> >> > > >> > > >> >> cheers, Sergey > > >> > > >> >> > > >> > > >> >> > > >> > > >> >> > > >> > > >> >> > Cheers, > > >> > > >> >> > Lukasz > > >> > > >> >> > > > >> > > >> >> > 2010/7/29 Daniel Kulp <dk...@apache.org> > > >> > > >> >> > > > >> > > >> >> > > > > >> > > >> >> > > You probably just need to change your deps to: > > >> > > >> >> > > > > >> > > >> >> > > geronimo-servlet_3.0_spec > > >> > > >> >> > > > > >> > > >> >> > > > > >> > > >> >> > > Dan > > >> > > >> >> > > > > >> > > >> >> > > > > >> > > >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin > > wrote: > > >> > > >> >> > > > Hi Lucasz > > >> > > >> >> > > > > > >> > > >> >> > > > I can't build the oauth sandbox project, seeing > > >> > > >> >> > > > [ERROR] FATAL ERROR > > >> > > >> >> > > > [INFO] > > >> > > >> >> > > > > > >> > > >> >> > > > >> > > >> > > >> > > > ------------------------------------------------------------------------ > > >> > > >> >> > > > [INFO] Error building POM (may not be this project's > > POM). > > >> > > >> >> > > > > > >> > > >> >> > > > > > >> > > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth > > >> > > >> >> > > > POM Location: > > >> > > >> >> > > > > > >> > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml > > >> > > >> >> > > > Validation Messages: > > >> > > >> >> > > > > > >> > > >> >> > > > [0] 'dependencies.dependency.version' is missing > > for > > >> > > >> >> > > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar > > >> > > >> >> > > > > > >> > > >> >> > > > > > >> > > >> >> > > > Reason: Failed to validate POM for project > > >> > > >> >> > org.apache.cxf:cxf-rt-rs-oauth > > >> > > >> >> > > > at > > >> > > >> > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml > > >> > > >> >> > > > > > >> > > >> >> > > > so I can not review the latest merge, sorry. I > could've > > >> tried > > >> > > to > > >> > > >> fix > > >> > > >> >> > this > > >> > > >> >> > > > issue but I'm not sure if you're finished with the > > >> > refactoring > > >> > > >> just > > >> > > >> >> > yet. > > >> > > >> >> > > > I'll be travelling tomorrow and I'll have some very > > >> limited > > >> > > time > > >> > > >> >> during > > >> > > >> >> > > the > > >> > > >> >> > > > evenings next week but I'll try to provide some > feedback > > >> at > > >> > > least > > >> > > >> >> > > > > > >> > > >> >> > > > cheers, Sergey > > >> > > >> >> > > > > > >> > > >> >> > > > > > >> > > >> >> > > > 2010/7/26 Sergey Beryozkin <sberyoz...@gmail.com> > > >> > > >> >> > > > > > >> > > >> >> > > > > Hi Łukasz > > >> > > >> >> > > > > > > >> > > >> >> > > > > 2010/7/26 Łukasz Moreń <lukasz.mo...@gmail.com> > > >> > > >> >> > > > > > > >> > > >> >> > > > > Hi Sergey, > > >> > > >> >> > > > > > > >> > > >> >> > > > >> I'm really sorry for such commit, I know it > shouldn't > > >> > > happen. > > >> > > >> I > > >> > > >> >> > turned > > >> > > >> >> > > > >> off checkstyle as i couldn't configure it properly > on > > >> > > intellij > > >> > > >> >> and > > >> > > >> >> > it > > >> > > >> >> > > > >> was annoying during development. > > >> > > >> >> > > > >> I will apply proper changes ASAP. > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> no worries at all, I've broken the real builds with > > >> > > checkstyle > > >> > > >> >> > errors > > >> > > >> >> > > so > > >> > > >> >> > > > > > > >> > > >> >> > > > > many times and it is the CXF sandbox after :-) > > >> > > >> >> > > > > > > >> > > >> >> > > > >> According to the demo, I built it as usual web-app, > > if > > >> it > > >> > > >> worked, > > >> > > >> >> > use > > >> > > >> >> > > > >> this same sources to deploy on GAE. > > >> > > >> >> > > > >> However because of GAE restrictions it always needs > > >> minor > > >> > > >> changes > > >> > > >> >> > > > >> before deploy, i.e. GAE can't read configuration > > files > > >> > such > > >> > > >> as: > > >> > > >> >> > > > >> cxf-extension-http.xml > > >> > > >> >> > > > >> from jars, so I copied it to WEB-INF folder. > > >> > > >> >> > > > >> Commited to svn version does not depend on GAE SDK > > and > > >> can > > >> > > be > > >> > > >> run > > >> > > >> >> > > > >> locally with jetty:run. > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> Yes, I warned about server configuration part:). I > > will > > >> > take > > >> > > >> care > > >> > > >> >> to > > >> > > >> >> > > > >> make it simpler. > > >> > > >> >> > > > > > > >> > > >> >> > > > > I do not think it is too complicated - the > > >> simplification > > >> > can > > >> > > >> be > > >> > > >> >> done > > >> > > >> >> > > > > once the whole flow is sound... > > >> > > >> >> > > > > > > >> > > >> >> > > > >> So far, oauth consumer properties are hardcoded and > > >> > injected > > >> > > >> into > > >> > > >> >> > > > >> oauth provider, as I think it is not oauth library > > >> > > >> responsibility > > >> > > >> >> to > > >> > > >> >> > > > >> deal with consumer registration. > > >> > > >> >> > > > >> Hovewer for demo it would be good to have something > > >> like > > >> > > that. > > >> > > >> I > > >> > > >> >> > would > > >> > > >> >> > > > >> do registration form at the server as it is done by > > >> > current > > >> > > >> big > > >> > > >> >> > oauth > > >> > > >> >> > > > >> implementations. > > >> > > >> >> > > > > > > >> > > >> >> > > > > I agree that conceptually the registration of > > consumers > > >> is > > >> > a > > >> > > >> >> separate > > >> > > >> >> > > > > issue. But it is part of the solution that users > will > > be > > >> > > >> >> eventually > > >> > > >> >> > > > > offering so just showing them that the consumers > have > > to > > >> go > > >> > > and > > >> > > >> >> > > register > > >> > > >> >> > > > > themselves with help people with coming up with some > > >> custom > > >> > > >> >> > > registration > > >> > > >> >> > > > > forms, etc. The registration does not have to be > done > > at > > >> > the > > >> > > >> >> server > > >> > > >> >> > > > > hosting the resource, it is just important for the > > OAuth > > >> > > >> provider > > >> > > >> >> be > > >> > > >> >> > > > > able to get to the consumer details. I'm fine with > > >> assuming > > >> > > at > > >> > > >> the > > >> > > >> >> > > > > moment that the registration handler is collocated > > with > > >> the > > >> > > >> >> > > > > endpoints/providers enforcing OAuth flow. > > >> > > >> >> > > > > > > >> > > >> >> > > > > But the callback uri which is being injected at the > > >> moment > > >> > > >> should > > >> > > >> >> go > > >> > > >> >> > > > > anyway given that it is part of the actual flow, > > >> > > specifically, > > >> > > >> the > > >> > > >> >> > > > > consumer provides it during the request token > request > > >> > > >> >> > > > > > > >> > > >> >> > > > >> Recently I've noticed that Camel have done oauth > > client > > >> as > > >> > > >> >> well:): > > >> > > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> Thanks much for review, and hints. > > >> > > >> >> > > > > > > >> > > >> >> > > > > thanks for your effort :-) > > >> > > >> >> > > > > > > >> > > >> >> > > > > Sergey > > >> > > >> >> > > > > > > >> > > >> >> > > > >> Cheers, > > >> > > >> >> > > > >> Lukasz > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> 2010/7/24 Sergey Beryozkin <sberyoz...@gmail.com>: > > >> > > >> >> > > > >> > Hi Łukasz > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > Sorry for a delay, I should've come back earlier > > to > > >> > you. > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > I've run the demo hosted at the app engine and I > > >> think > > >> > > from > > >> > > >> the > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> education > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > point of view it is a good demo and it is handy > one > > >> does > > >> > > not > > >> > > >> >> even > > >> > > >> >> > > has > > >> > > >> >> > > > >> > to build anything in order to try it. > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > I've had a problem building the rt/rs/oauth tests > - > > >> > > there's > > >> > > >> a > > >> > > >> >> > bunch > > >> > > >> >> > > of > > >> > > >> >> > > > >> > CheckStyle errors. Can you please build > > >> > sandbox/oauth_1.0a > > >> > > >> from > > >> > > >> >> > the > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> trunk, > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > just do 'mvn install -Pfastinstall' and then do > > 'mvn > > >> > > >> install' > > >> > > >> >> from > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> rt/rs/ ? > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > One other thing, please move the demo to > > >> > > >> >> > > > >> > "distribution/src/main/release/samples/" as well > > add > > >> > > Readme > > >> > > >> to > > >> > > >> >> it. > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > Also I can not build the demo too, the client > build > > >> > fails > > >> > > >> with > > >> > > >> >> the > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> following > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > dependency missing > > >> > > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527 > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth > > pom, > > >> > have > > >> > > >> you > > >> > > >> >> > built > > >> > > >> >> > > it > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> in > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > the GAE dev environment ? > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > Can you please spend a bit of time on cleaning > the > > >> build > > >> > a > > >> > > >> bit > > >> > > >> >> : > > >> > > >> >> > > > >> > - fix the checkstyle errors and move the demo to > > the > > >> > > >> >> > > > >> > ""distribution/src/main/release/samples/"" area > and > > >> also > > >> > > add > > >> > > >> >> > Readme; > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> after > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > building the distribution (mvn install in > > >> > > >> trunk/distribution) > > >> > > >> >> you > > >> > > >> >> > > can > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> easily > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > verify the demo can be run by locating in the > > target. > > >> > > >> >> > > > >> > - add the oauth dependency in the parent pom so > > that > > >> the > > >> > > >> >> rs/oauth > > >> > > >> >> > > > >> > module > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> can > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > depend on it without specifying a version and > have > > >> the > > >> > > demo > > >> > > >> >> client > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> module > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > depending on rt/rs/oauth module instead > (similarly > > to > > >> > the > > >> > > >> >> server > > >> > > >> >> > > one) > > >> > > >> >> > > > >> > - during the main build please use the Spring > > version > > >> > CXF > > >> > > >> >> depends > > >> > > >> >> > > upon > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> and > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > use its -Pspring3 profile to build for the > > deployment > > >> > into > > >> > > >> GAE > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > As far as the demo is concerned. I looked at the > > >> server > > >> > > part > > >> > > >> >> and > > >> > > >> >> > it > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> looks > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > complicated enough :-) but I think it makes sense > > to > > >> me. > > >> > > >> I'll > > >> > > >> >> > likely > > >> > > >> >> > > > >> > ask > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> for > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > some modifications but perhaps if you could start > > >> with > > >> > > >> updating > > >> > > >> >> > the > > >> > > >> >> > > > >> > demo such that a consumer initiates its own > > >> registration > > >> > > >> with > > >> > > >> >> the > > >> > > >> >> > > > >> > OAuth > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> server : > > >> > > >> >> > > > >> > I can see at the moment an oauth provider is > > injected > > >> > with > > >> > > >> some > > >> > > >> >> > > sample > > >> > > >> >> > > > >> > consumer properties. I'm not sure what is the > best > > >> way > > >> > to > > >> > > do > > >> > > >> it > > >> > > >> >> : > > >> > > >> >> > > may > > >> > > >> >> > > > >> > be > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> the > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > server can return a registration form or the > client > > >> can > > >> > > just > > >> > > >> >> push > > >> > > >> >> > > the > > >> > > >> >> > > > >> > registration info itself. > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > Overall I think it is a good progress indeed > > >> especially > > >> > > >> given > > >> > > >> >> the > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> complexity > > >> > > >> >> > > > >> > > >> > > >> >> > > > >> > of the whole effort. > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > thanks, Sergey > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń < > > >> > > >> >> > > lukasz.mo...@gmail.com > > >> > > >> >> > > > >> > > > >> > > >> >> > > > >> >wrote: > > >> > > >> >> > > > >> >> Hi all, > > >> > > >> >> > > > >> >> > > >> > > >> >> > > > >> >> I have managed to create two sample OAuth > > >> aplications: > > >> > > >> >> > > > >> >> ordinary OAuth 1.0a client: > > >> > > >> >> http://www.oauthclient.appspot.com > > >> > > >> >> > > > >> >> and authorization server that uses CXF OAuth > > module: > > >> > > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com > > >> > > >> >> > > > >> >> > > >> > > >> >> > > > >> >> Both sample applications and changes in oauth > > >> library > > >> > are > > >> > > >> >> > commited > > >> > > >> >> > > in > > >> > > >> >> > > > >> >> sandbox. > > >> > > >> >> > > > >> >> > > >> > > >> >> > > > >> >> OAuth configuration in sample authorization > server > > >> app > > >> > > >> looks a > > >> > > >> >> > bit > > >> > > >> >> > > > >> >> awfully but I think most of that can be hidden > and > > >> done > > >> > > out > > >> > > >> of > > >> > > >> >> > > band. > > >> > > >> >> > > > >> >> There is still some areas in specification not > > >> covered > > >> > by > > >> > > >> >> > > > >> >> implementation, so I would like to take care of > > that > > >> in > > >> > > >> next > > >> > > >> >> > steps. > > >> > > >> >> > > > >> >> > > >> > > >> >> > > > >> >> Thanks in advance for some feedback. > > >> > > >> >> > > > >> >> > > >> > > >> >> > > > >> >> Cheers, > > >> > > >> >> > > > >> >> Lukasz > > >> > > >> >> > > > > >> > > >> >> > > -- > > >> > > >> >> > > Daniel Kulp > > >> > > >> >> > > dk...@apache.org > > >> > > >> >> > > http://dankulp.com/blog > > >> > > >> >> > > > > >> > > >> >> > > > >> > > >> >> > > >> > > >> > > > >> > > >> > > > >> > > >> > > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > > > > > > > >
