Quantcast

OAuth client and server demos

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OAuth client and server demos

Łukasz Moreń
Hi all,

I have managed to create two sample OAuth aplications:
ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
and authorization server that uses CXF OAuth module:
http://www.cxfoauthserver.appspot.com

Both sample applications and changes in oauth library are commited in sandbox.

OAuth configuration in sample authorization server app looks a bit
awfully but I think most of that can be hidden and done out of band.
There is still some areas in specification not covered by
implementation, so I would like to take care of that in next steps.

Thanks in advance for some feedback.

Cheers,
Lukasz
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Sergey Beryozkin
Thanks Łukasz. Implementing OAuth can be challenging indeed so it's a great
effort. I will comment a bit later on

Sergey

On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <[hidden email]>wrote:

> Hi all,
>
> I have managed to create two sample OAuth aplications:
> ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
> and authorization server that uses CXF OAuth module:
> http://www.cxfoauthserver.appspot.com
>
> Both sample applications and changes in oauth library are commited in
> sandbox.
>
> OAuth configuration in sample authorization server app looks a bit
> awfully but I think most of that can be hidden and done out of band.
> There is still some areas in specification not covered by
> implementation, so I would like to take care of that in next steps.
>
> Thanks in advance for some feedback.
>
> Cheers,
> Lukasz
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Sergey Beryozkin
In reply to this post by Łukasz Moreń
Hi Łukasz

Sorry for a delay,  I should've come back earlier to you.

I've run the demo hosted at the app engine and I think from the education
point of view it is a good demo and it is handy one does not even has to
build anything in order to try it.

I've had a problem building the rt/rs/oauth tests - there's a bunch of
CheckStyle errors. Can you please build sandbox/oauth_1.0a from the trunk,
just do 'mvn install -Pfastinstall' and then do 'mvn install' from rt/rs/ ?
One other thing, please move the demo to
"distribution/src/main/release/samples/" as well add Readme to it.

Also I can not build the demo too, the client build fails with the following
dependency missing
1) net.oauth.core:oauth-consumer:jar:20100527

But I'm seeing an oauth repo in the rt/rs/oauth pom, have you built it in
the GAE dev environment ?

Can you please spend a bit of time on cleaning the build a bit :
- fix the checkstyle errors and move the demo to the
""distribution/src/main/release/samples/"" area and also add Readme; after
building the distribution (mvn install in trunk/distribution) you can easily
verify the demo can be run by locating in the target.
- add the oauth dependency in the parent pom so that the rs/oauth module can
depend on it without specifying a version and have the demo client module
depending on rt/rs/oauth module instead (similarly to the server one)
- during the main build please use the Spring version CXF depends upon and
use its -Pspring3 profile to build for the deployment into GAE

As far as the demo is concerned. I looked at the server part and it looks
complicated enough :-) but I think it makes sense to me. I'll likely ask for
some modifications but perhaps if you could start with updating the demo
such that a consumer initiates its own registration with the OAuth server :
I can see at the moment an oauth provider is injected with some sample
consumer properties. I'm not sure what is the best way to do it : may be the
server can return a registration form or the client can just push the
registration info itself.

Overall I think it is a good progress indeed especially given the complexity
of the whole effort.



thanks, Sergey

On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <[hidden email]>wrote:

> Hi all,
>
> I have managed to create two sample OAuth aplications:
> ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
> and authorization server that uses CXF OAuth module:
> http://www.cxfoauthserver.appspot.com
>
> Both sample applications and changes in oauth library are commited in
> sandbox.
>
> OAuth configuration in sample authorization server app looks a bit
> awfully but I think most of that can be hidden and done out of band.
> There is still some areas in specification not covered by
> implementation, so I would like to take care of that in next steps.
>
> Thanks in advance for some feedback.
>
> Cheers,
> Lukasz
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Łukasz Moreń
Hi Sergey,

I'm really sorry for such commit, I know it shouldn't happen. I turned
off checkstyle as i couldn't configure it properly on intellij and it
was annoying during development.
I will apply proper changes ASAP.

According to the demo, I built it as usual web-app, if it worked, use
this same sources to deploy on GAE.
However because of GAE restrictions it always needs minor changes
before deploy, i.e. GAE can't read configuration files such as:
cxf-extension-http.xml
from jars, so I copied it to WEB-INF folder.
Commited to svn version does not depend on GAE SDK and can be run
locally with jetty:run.

Yes, I warned about server configuration part:). I will take care to
make it simpler.
So far, oauth consumer properties are hardcoded and injected into
oauth provider, as I think it is not oauth library responsibility to
deal with consumer registration.
Hovewer for demo it would be good to have something like that. I would
do registration form at the server as it is done by current big oauth
implementations.

Recently I've noticed that Camel have done oauth client as well:):
http://camel.apache.org/tutorial-oauth.html

Thanks much for review, and hints.

Cheers,
Lukasz


2010/7/24 Sergey Beryozkin <[hidden email]>:

> Hi Łukasz
>
> Sorry for a delay,  I should've come back earlier to you.
>
> I've run the demo hosted at the app engine and I think from the education
> point of view it is a good demo and it is handy one does not even has to
> build anything in order to try it.
>
> I've had a problem building the rt/rs/oauth tests - there's a bunch of
> CheckStyle errors. Can you please build sandbox/oauth_1.0a from the trunk,
> just do 'mvn install -Pfastinstall' and then do 'mvn install' from rt/rs/ ?
> One other thing, please move the demo to
> "distribution/src/main/release/samples/" as well add Readme to it.
>
> Also I can not build the demo too, the client build fails with the following
> dependency missing
> 1) net.oauth.core:oauth-consumer:jar:20100527
>
> But I'm seeing an oauth repo in the rt/rs/oauth pom, have you built it in
> the GAE dev environment ?
>
> Can you please spend a bit of time on cleaning the build a bit :
> - fix the checkstyle errors and move the demo to the
> ""distribution/src/main/release/samples/"" area and also add Readme; after
> building the distribution (mvn install in trunk/distribution) you can easily
> verify the demo can be run by locating in the target.
> - add the oauth dependency in the parent pom so that the rs/oauth module can
> depend on it without specifying a version and have the demo client module
> depending on rt/rs/oauth module instead (similarly to the server one)
> - during the main build please use the Spring version CXF depends upon and
> use its -Pspring3 profile to build for the deployment into GAE
>
> As far as the demo is concerned. I looked at the server part and it looks
> complicated enough :-) but I think it makes sense to me. I'll likely ask for
> some modifications but perhaps if you could start with updating the demo
> such that a consumer initiates its own registration with the OAuth server :
> I can see at the moment an oauth provider is injected with some sample
> consumer properties. I'm not sure what is the best way to do it : may be the
> server can return a registration form or the client can just push the
> registration info itself.
>
> Overall I think it is a good progress indeed especially given the complexity
> of the whole effort.
>
>
>
> thanks, Sergey
>
> On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <[hidden email]>wrote:
>
>> Hi all,
>>
>> I have managed to create two sample OAuth aplications:
>> ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
>> and authorization server that uses CXF OAuth module:
>> http://www.cxfoauthserver.appspot.com
>>
>> Both sample applications and changes in oauth library are commited in
>> sandbox.
>>
>> OAuth configuration in sample authorization server app looks a bit
>> awfully but I think most of that can be hidden and done out of band.
>> There is still some areas in specification not covered by
>> implementation, so I would like to take care of that in next steps.
>>
>> Thanks in advance for some feedback.
>>
>> Cheers,
>> Lukasz
>>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Sergey Beryozkin
Hi Łukasz

2010/7/26 Łukasz Moreń <[hidden email]>

> Hi Sergey,
>
> I'm really sorry for such commit, I know it shouldn't happen. I turned
> off checkstyle as i couldn't configure it properly on intellij and it
> was annoying during development.
> I will apply proper changes ASAP.
>
> no worries at all, I've broken the real builds with checkstyle errors so
many times and it is the CXF sandbox after :-)


> According to the demo, I built it as usual web-app, if it worked, use
> this same sources to deploy on GAE.
> However because of GAE restrictions it always needs minor changes
> before deploy, i.e. GAE can't read configuration files such as:
> cxf-extension-http.xml
> from jars, so I copied it to WEB-INF folder.
> Commited to svn version does not depend on GAE SDK and can be run
> locally with jetty:run.
>
> Yes, I warned about server configuration part:). I will take care to
> make it simpler.
>

I do not think it is too complicated - the simplification can be done once
the whole flow is sound...


> So far, oauth consumer properties are hardcoded and injected into
> oauth provider, as I think it is not oauth library responsibility to
> deal with consumer registration.
> Hovewer for demo it would be good to have something like that. I would
> do registration form at the server as it is done by current big oauth
> implementations.
>

I agree that conceptually the registration of consumers is a separate issue.
But it is part of the solution that users will be eventually offering so
just showing them that the consumers have to go and register themselves with
help people with coming up with some custom registration forms, etc. The
registration does not have to be done at the server hosting the resource, it
is just important for the OAuth provider be able to get to the consumer
details. I'm fine with assuming at the moment that the registration handler
is collocated with the endpoints/providers enforcing OAuth flow.

But the callback uri which is being injected at the moment should go anyway
given that it is part of the actual flow, specifically, the consumer
provides it during the request token request



>
> Recently I've noticed that Camel have done oauth client as well:):
> http://camel.apache.org/tutorial-oauth.html
>
> Thanks much for review, and hints.
>
>
thanks for your effort :-)

Sergey


> Cheers,
> Lukasz
>
>
> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> > Hi Łukasz
> >
> > Sorry for a delay,  I should've come back earlier to you.
> >
> > I've run the demo hosted at the app engine and I think from the education
> > point of view it is a good demo and it is handy one does not even has to
> > build anything in order to try it.
> >
> > I've had a problem building the rt/rs/oauth tests - there's a bunch of
> > CheckStyle errors. Can you please build sandbox/oauth_1.0a from the
> trunk,
> > just do 'mvn install -Pfastinstall' and then do 'mvn install' from rt/rs/
> ?
> > One other thing, please move the demo to
> > "distribution/src/main/release/samples/" as well add Readme to it.
> >
> > Also I can not build the demo too, the client build fails with the
> following
> > dependency missing
> > 1) net.oauth.core:oauth-consumer:jar:20100527
> >
> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have you built it in
> > the GAE dev environment ?
> >
> > Can you please spend a bit of time on cleaning the build a bit :
> > - fix the checkstyle errors and move the demo to the
> > ""distribution/src/main/release/samples/"" area and also add Readme;
> after
> > building the distribution (mvn install in trunk/distribution) you can
> easily
> > verify the demo can be run by locating in the target.
> > - add the oauth dependency in the parent pom so that the rs/oauth module
> can
> > depend on it without specifying a version and have the demo client module
> > depending on rt/rs/oauth module instead (similarly to the server one)
> > - during the main build please use the Spring version CXF depends upon
> and
> > use its -Pspring3 profile to build for the deployment into GAE
> >
> > As far as the demo is concerned. I looked at the server part and it looks
> > complicated enough :-) but I think it makes sense to me. I'll likely ask
> for
> > some modifications but perhaps if you could start with updating the demo
> > such that a consumer initiates its own registration with the OAuth server
> :
> > I can see at the moment an oauth provider is injected with some sample
> > consumer properties. I'm not sure what is the best way to do it : may be
> the
> > server can return a registration form or the client can just push the
> > registration info itself.
> >
> > Overall I think it is a good progress indeed especially given the
> complexity
> > of the whole effort.
> >
> >
> >
> > thanks, Sergey
> >
> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <[hidden email]
> >wrote:
> >
> >> Hi all,
> >>
> >> I have managed to create two sample OAuth aplications:
> >> ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
> >> and authorization server that uses CXF OAuth module:
> >> http://www.cxfoauthserver.appspot.com
> >>
> >> Both sample applications and changes in oauth library are commited in
> >> sandbox.
> >>
> >> OAuth configuration in sample authorization server app looks a bit
> >> awfully but I think most of that can be hidden and done out of band.
> >> There is still some areas in specification not covered by
> >> implementation, so I would like to take care of that in next steps.
> >>
> >> Thanks in advance for some feedback.
> >>
> >> Cheers,
> >> Lukasz
> >>
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Sergey Beryozkin
Hi Lucasz

I can't build the oauth sandbox project, seeing
[ERROR] FATAL ERROR
[INFO]
------------------------------------------------------------------------
[INFO] Error building POM (may not be this project's POM).


Project ID: org.apache.cxf:cxf-rt-rs-oauth
POM Location:
/home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
Validation Messages:

    [0]  'dependencies.dependency.version' is missing for
org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar


Reason: Failed to validate POM for project org.apache.cxf:cxf-rt-rs-oauth at
/home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml

so I can not review the latest merge, sorry. I could've tried to fix this
issue but I'm not sure if you're finished with the refactoring just yet.
I'll be travelling tomorrow and I'll have some very limited time during the
evenings next week but I'll try to provide some feedback at least

cheers, Sergey


2010/7/26 Sergey Beryozkin <[hidden email]>

> Hi Łukasz
>
> 2010/7/26 Łukasz Moreń <[hidden email]>
>
> Hi Sergey,
>>
>> I'm really sorry for such commit, I know it shouldn't happen. I turned
>> off checkstyle as i couldn't configure it properly on intellij and it
>> was annoying during development.
>> I will apply proper changes ASAP.
>>
>> no worries at all, I've broken the real builds with checkstyle errors so
> many times and it is the CXF sandbox after :-)
>
>
>> According to the demo, I built it as usual web-app, if it worked, use
>> this same sources to deploy on GAE.
>> However because of GAE restrictions it always needs minor changes
>> before deploy, i.e. GAE can't read configuration files such as:
>> cxf-extension-http.xml
>> from jars, so I copied it to WEB-INF folder.
>> Commited to svn version does not depend on GAE SDK and can be run
>> locally with jetty:run.
>>
>> Yes, I warned about server configuration part:). I will take care to
>> make it simpler.
>>
>
> I do not think it is too complicated - the simplification can be done once
> the whole flow is sound...
>
>
>> So far, oauth consumer properties are hardcoded and injected into
>> oauth provider, as I think it is not oauth library responsibility to
>> deal with consumer registration.
>> Hovewer for demo it would be good to have something like that. I would
>> do registration form at the server as it is done by current big oauth
>> implementations.
>>
>
> I agree that conceptually the registration of consumers is a separate
> issue. But it is part of the solution that users will be eventually offering
> so just showing them that the consumers have to go and register themselves
> with help people with coming up with some custom registration forms, etc.
> The registration does not have to be done at the server hosting the
> resource, it is just important for the OAuth provider be able to get to the
> consumer details. I'm fine with assuming at the moment that the registration
> handler is collocated with the endpoints/providers enforcing OAuth flow.
>
> But the callback uri which is being injected at the moment should go anyway
> given that it is part of the actual flow, specifically, the consumer
> provides it during the request token request
>
>
>
>>
>> Recently I've noticed that Camel have done oauth client as well:):
>> http://camel.apache.org/tutorial-oauth.html
>>
>> Thanks much for review, and hints.
>>
>>
> thanks for your effort :-)
>
> Sergey
>
>
>> Cheers,
>> Lukasz
>>
>>
>> 2010/7/24 Sergey Beryozkin <[hidden email]>:
>> > Hi Łukasz
>> >
>> > Sorry for a delay,  I should've come back earlier to you.
>> >
>> > I've run the demo hosted at the app engine and I think from the
>> education
>> > point of view it is a good demo and it is handy one does not even has to
>> > build anything in order to try it.
>> >
>> > I've had a problem building the rt/rs/oauth tests - there's a bunch of
>> > CheckStyle errors. Can you please build sandbox/oauth_1.0a from the
>> trunk,
>> > just do 'mvn install -Pfastinstall' and then do 'mvn install' from
>> rt/rs/ ?
>> > One other thing, please move the demo to
>> > "distribution/src/main/release/samples/" as well add Readme to it.
>> >
>> > Also I can not build the demo too, the client build fails with the
>> following
>> > dependency missing
>> > 1) net.oauth.core:oauth-consumer:jar:20100527
>> >
>> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have you built it
>> in
>> > the GAE dev environment ?
>> >
>> > Can you please spend a bit of time on cleaning the build a bit :
>> > - fix the checkstyle errors and move the demo to the
>> > ""distribution/src/main/release/samples/"" area and also add Readme;
>> after
>> > building the distribution (mvn install in trunk/distribution) you can
>> easily
>> > verify the demo can be run by locating in the target.
>> > - add the oauth dependency in the parent pom so that the rs/oauth module
>> can
>> > depend on it without specifying a version and have the demo client
>> module
>> > depending on rt/rs/oauth module instead (similarly to the server one)
>> > - during the main build please use the Spring version CXF depends upon
>> and
>> > use its -Pspring3 profile to build for the deployment into GAE
>> >
>> > As far as the demo is concerned. I looked at the server part and it
>> looks
>> > complicated enough :-) but I think it makes sense to me. I'll likely ask
>> for
>> > some modifications but perhaps if you could start with updating the demo
>> > such that a consumer initiates its own registration with the OAuth
>> server :
>> > I can see at the moment an oauth provider is injected with some sample
>> > consumer properties. I'm not sure what is the best way to do it : may be
>> the
>> > server can return a registration form or the client can just push the
>> > registration info itself.
>> >
>> > Overall I think it is a good progress indeed especially given the
>> complexity
>> > of the whole effort.
>> >
>> >
>> >
>> > thanks, Sergey
>> >
>> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <[hidden email]
>> >wrote:
>> >
>> >> Hi all,
>> >>
>> >> I have managed to create two sample OAuth aplications:
>> >> ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
>> >> and authorization server that uses CXF OAuth module:
>> >> http://www.cxfoauthserver.appspot.com
>> >>
>> >> Both sample applications and changes in oauth library are commited in
>> >> sandbox.
>> >>
>> >> OAuth configuration in sample authorization server app looks a bit
>> >> awfully but I think most of that can be hidden and done out of band.
>> >> There is still some areas in specification not covered by
>> >> implementation, so I would like to take care of that in next steps.
>> >>
>> >> Thanks in advance for some feedback.
>> >>
>> >> Cheers,
>> >> Lukasz
>> >>
>> >
>>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Daniel  Kulp

You probably just need to change your deps to:

geronimo-servlet_3.0_spec


Dan


On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:

> Hi Lucasz
>
> I can't build the oauth sandbox project, seeing
> [ERROR] FATAL ERROR
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Error building POM (may not be this project's POM).
>
>
> Project ID: org.apache.cxf:cxf-rt-rs-oauth
> POM Location:
> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> Validation Messages:
>
>     [0]  'dependencies.dependency.version' is missing for
> org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
>
>
> Reason: Failed to validate POM for project org.apache.cxf:cxf-rt-rs-oauth
> at /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
>
> so I can not review the latest merge, sorry. I could've tried to fix this
> issue but I'm not sure if you're finished with the refactoring just yet.
> I'll be travelling tomorrow and I'll have some very limited time during the
> evenings next week but I'll try to provide some feedback at least
>
> cheers, Sergey
>
>
> 2010/7/26 Sergey Beryozkin <[hidden email]>
>
> > Hi Łukasz
> >
> > 2010/7/26 Łukasz Moreń <[hidden email]>
> >
> > Hi Sergey,
> >
> >> I'm really sorry for such commit, I know it shouldn't happen. I turned
> >> off checkstyle as i couldn't configure it properly on intellij and it
> >> was annoying during development.
> >> I will apply proper changes ASAP.
> >>
> >> no worries at all, I've broken the real builds with checkstyle errors so
> >
> > many times and it is the CXF sandbox after :-)
> >
> >> According to the demo, I built it as usual web-app, if it worked, use
> >> this same sources to deploy on GAE.
> >> However because of GAE restrictions it always needs minor changes
> >> before deploy, i.e. GAE can't read configuration files such as:
> >> cxf-extension-http.xml
> >> from jars, so I copied it to WEB-INF folder.
> >> Commited to svn version does not depend on GAE SDK and can be run
> >> locally with jetty:run.
> >>
> >> Yes, I warned about server configuration part:). I will take care to
> >> make it simpler.
> >
> > I do not think it is too complicated - the simplification can be done
> > once the whole flow is sound...
> >
> >> So far, oauth consumer properties are hardcoded and injected into
> >> oauth provider, as I think it is not oauth library responsibility to
> >> deal with consumer registration.
> >> Hovewer for demo it would be good to have something like that. I would
> >> do registration form at the server as it is done by current big oauth
> >> implementations.
> >
> > I agree that conceptually the registration of consumers is a separate
> > issue. But it is part of the solution that users will be eventually
> > offering so just showing them that the consumers have to go and register
> > themselves with help people with coming up with some custom registration
> > forms, etc. The registration does not have to be done at the server
> > hosting the resource, it is just important for the OAuth provider be
> > able to get to the consumer details. I'm fine with assuming at the
> > moment that the registration handler is collocated with the
> > endpoints/providers enforcing OAuth flow.
> >
> > But the callback uri which is being injected at the moment should go
> > anyway given that it is part of the actual flow, specifically, the
> > consumer provides it during the request token request
> >
> >> Recently I've noticed that Camel have done oauth client as well:):
> >> http://camel.apache.org/tutorial-oauth.html
> >>
> >> Thanks much for review, and hints.
> >
> > thanks for your effort :-)
> >
> > Sergey
> >
> >> Cheers,
> >> Lukasz
> >>
> >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> >> > Hi Łukasz
> >> >
> >> > Sorry for a delay,  I should've come back earlier to you.
> >> >
> >> > I've run the demo hosted at the app engine and I think from the
> >>
> >> education
> >>
> >> > point of view it is a good demo and it is handy one does not even has
> >> > to build anything in order to try it.
> >> >
> >> > I've had a problem building the rt/rs/oauth tests - there's a bunch of
> >> > CheckStyle errors. Can you please build sandbox/oauth_1.0a from the
> >>
> >> trunk,
> >>
> >> > just do 'mvn install -Pfastinstall' and then do 'mvn install' from
> >>
> >> rt/rs/ ?
> >>
> >> > One other thing, please move the demo to
> >> > "distribution/src/main/release/samples/" as well add Readme to it.
> >> >
> >> > Also I can not build the demo too, the client build fails with the
> >>
> >> following
> >>
> >> > dependency missing
> >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> >> >
> >> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have you built it
> >>
> >> in
> >>
> >> > the GAE dev environment ?
> >> >
> >> > Can you please spend a bit of time on cleaning the build a bit :
> >> > - fix the checkstyle errors and move the demo to the
> >> > ""distribution/src/main/release/samples/"" area and also add Readme;
> >>
> >> after
> >>
> >> > building the distribution (mvn install in trunk/distribution) you can
> >>
> >> easily
> >>
> >> > verify the demo can be run by locating in the target.
> >> > - add the oauth dependency in the parent pom so that the rs/oauth
> >> > module
> >>
> >> can
> >>
> >> > depend on it without specifying a version and have the demo client
> >>
> >> module
> >>
> >> > depending on rt/rs/oauth module instead (similarly to the server one)
> >> > - during the main build please use the Spring version CXF depends upon
> >>
> >> and
> >>
> >> > use its -Pspring3 profile to build for the deployment into GAE
> >> >
> >> > As far as the demo is concerned. I looked at the server part and it
> >>
> >> looks
> >>
> >> > complicated enough :-) but I think it makes sense to me. I'll likely
> >> > ask
> >>
> >> for
> >>
> >> > some modifications but perhaps if you could start with updating the
> >> > demo such that a consumer initiates its own registration with the
> >> > OAuth
> >>
> >> server :
> >> > I can see at the moment an oauth provider is injected with some sample
> >> > consumer properties. I'm not sure what is the best way to do it : may
> >> > be
> >>
> >> the
> >>
> >> > server can return a registration form or the client can just push the
> >> > registration info itself.
> >> >
> >> > Overall I think it is a good progress indeed especially given the
> >>
> >> complexity
> >>
> >> > of the whole effort.
> >> >
> >> >
> >> >
> >> > thanks, Sergey
> >> >
> >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <[hidden email]
> >> >
> >> >wrote:
> >> >> Hi all,
> >> >>
> >> >> I have managed to create two sample OAuth aplications:
> >> >> ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
> >> >> and authorization server that uses CXF OAuth module:
> >> >> http://www.cxfoauthserver.appspot.com
> >> >>
> >> >> Both sample applications and changes in oauth library are commited in
> >> >> sandbox.
> >> >>
> >> >> OAuth configuration in sample authorization server app looks a bit
> >> >> awfully but I think most of that can be hidden and done out of band.
> >> >> There is still some areas in specification not covered by
> >> >> implementation, so I would like to take care of that in next steps.
> >> >>
> >> >> Thanks in advance for some feedback.
> >> >>
> >> >> Cheers,
> >> >> Lukasz

--
Daniel Kulp
[hidden email]
http://dankulp.com/blog
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Łukasz Moreń
Hi,

I'm still working on refactoring and changes in demo you suggested.
I will likely update it tomorrow.

I'll likely ask for some modifications but perhaps if you could start with
> updating the demo

such that a consumer initiates its own registration with the OAuth server.


I'm going to put high effort on my GSoC project next weeks. I would really
appreciate,
if you would have some more modifications requests/directions which project
should go, as you have limited time next week
and current changes will not take long.

From what I'm seeing, I need to cover spec with code, simplify configuration
and do more testing.

Cheers,
Lukasz

2010/7/29 Daniel Kulp <[hidden email]>

>
> You probably just need to change your deps to:
>
> geronimo-servlet_3.0_spec
>
>
> Dan
>
>
> On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
> > Hi Lucasz
> >
> > I can't build the oauth sandbox project, seeing
> > [ERROR] FATAL ERROR
> > [INFO]
> > ------------------------------------------------------------------------
> > [INFO] Error building POM (may not be this project's POM).
> >
> >
> > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> > POM Location:
> > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > Validation Messages:
> >
> >     [0]  'dependencies.dependency.version' is missing for
> > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> >
> >
> > Reason: Failed to validate POM for project org.apache.cxf:cxf-rt-rs-oauth
> > at /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> >
> > so I can not review the latest merge, sorry. I could've tried to fix this
> > issue but I'm not sure if you're finished with the refactoring just yet.
> > I'll be travelling tomorrow and I'll have some very limited time during
> the
> > evenings next week but I'll try to provide some feedback at least
> >
> > cheers, Sergey
> >
> >
> > 2010/7/26 Sergey Beryozkin <[hidden email]>
> >
> > > Hi Łukasz
> > >
> > > 2010/7/26 Łukasz Moreń <[hidden email]>
> > >
> > > Hi Sergey,
> > >
> > >> I'm really sorry for such commit, I know it shouldn't happen. I turned
> > >> off checkstyle as i couldn't configure it properly on intellij and it
> > >> was annoying during development.
> > >> I will apply proper changes ASAP.
> > >>
> > >> no worries at all, I've broken the real builds with checkstyle errors
> so
> > >
> > > many times and it is the CXF sandbox after :-)
> > >
> > >> According to the demo, I built it as usual web-app, if it worked, use
> > >> this same sources to deploy on GAE.
> > >> However because of GAE restrictions it always needs minor changes
> > >> before deploy, i.e. GAE can't read configuration files such as:
> > >> cxf-extension-http.xml
> > >> from jars, so I copied it to WEB-INF folder.
> > >> Commited to svn version does not depend on GAE SDK and can be run
> > >> locally with jetty:run.
> > >>
> > >> Yes, I warned about server configuration part:). I will take care to
> > >> make it simpler.
> > >
> > > I do not think it is too complicated - the simplification can be done
> > > once the whole flow is sound...
> > >
> > >> So far, oauth consumer properties are hardcoded and injected into
> > >> oauth provider, as I think it is not oauth library responsibility to
> > >> deal with consumer registration.
> > >> Hovewer for demo it would be good to have something like that. I would
> > >> do registration form at the server as it is done by current big oauth
> > >> implementations.
> > >
> > > I agree that conceptually the registration of consumers is a separate
> > > issue. But it is part of the solution that users will be eventually
> > > offering so just showing them that the consumers have to go and
> register
> > > themselves with help people with coming up with some custom
> registration
> > > forms, etc. The registration does not have to be done at the server
> > > hosting the resource, it is just important for the OAuth provider be
> > > able to get to the consumer details. I'm fine with assuming at the
> > > moment that the registration handler is collocated with the
> > > endpoints/providers enforcing OAuth flow.
> > >
> > > But the callback uri which is being injected at the moment should go
> > > anyway given that it is part of the actual flow, specifically, the
> > > consumer provides it during the request token request
> > >
> > >> Recently I've noticed that Camel have done oauth client as well:):
> > >> http://camel.apache.org/tutorial-oauth.html
> > >>
> > >> Thanks much for review, and hints.
> > >
> > > thanks for your effort :-)
> > >
> > > Sergey
> > >
> > >> Cheers,
> > >> Lukasz
> > >>
> > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> > >> > Hi Łukasz
> > >> >
> > >> > Sorry for a delay,  I should've come back earlier to you.
> > >> >
> > >> > I've run the demo hosted at the app engine and I think from the
> > >>
> > >> education
> > >>
> > >> > point of view it is a good demo and it is handy one does not even
> has
> > >> > to build anything in order to try it.
> > >> >
> > >> > I've had a problem building the rt/rs/oauth tests - there's a bunch
> of
> > >> > CheckStyle errors. Can you please build sandbox/oauth_1.0a from the
> > >>
> > >> trunk,
> > >>
> > >> > just do 'mvn install -Pfastinstall' and then do 'mvn install' from
> > >>
> > >> rt/rs/ ?
> > >>
> > >> > One other thing, please move the demo to
> > >> > "distribution/src/main/release/samples/" as well add Readme to it.
> > >> >
> > >> > Also I can not build the demo too, the client build fails with the
> > >>
> > >> following
> > >>
> > >> > dependency missing
> > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> > >> >
> > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have you built
> it
> > >>
> > >> in
> > >>
> > >> > the GAE dev environment ?
> > >> >
> > >> > Can you please spend a bit of time on cleaning the build a bit :
> > >> > - fix the checkstyle errors and move the demo to the
> > >> > ""distribution/src/main/release/samples/"" area and also add Readme;
> > >>
> > >> after
> > >>
> > >> > building the distribution (mvn install in trunk/distribution) you
> can
> > >>
> > >> easily
> > >>
> > >> > verify the demo can be run by locating in the target.
> > >> > - add the oauth dependency in the parent pom so that the rs/oauth
> > >> > module
> > >>
> > >> can
> > >>
> > >> > depend on it without specifying a version and have the demo client
> > >>
> > >> module
> > >>
> > >> > depending on rt/rs/oauth module instead (similarly to the server
> one)
> > >> > - during the main build please use the Spring version CXF depends
> upon
> > >>
> > >> and
> > >>
> > >> > use its -Pspring3 profile to build for the deployment into GAE
> > >> >
> > >> > As far as the demo is concerned. I looked at the server part and it
> > >>
> > >> looks
> > >>
> > >> > complicated enough :-) but I think it makes sense to me. I'll likely
> > >> > ask
> > >>
> > >> for
> > >>
> > >> > some modifications but perhaps if you could start with updating the
> > >> > demo such that a consumer initiates its own registration with the
> > >> > OAuth
> > >>
> > >> server :
> > >> > I can see at the moment an oauth provider is injected with some
> sample
> > >> > consumer properties. I'm not sure what is the best way to do it :
> may
> > >> > be
> > >>
> > >> the
> > >>
> > >> > server can return a registration form or the client can just push
> the
> > >> > registration info itself.
> > >> >
> > >> > Overall I think it is a good progress indeed especially given the
> > >>
> > >> complexity
> > >>
> > >> > of the whole effort.
> > >> >
> > >> >
> > >> >
> > >> > thanks, Sergey
> > >> >
> > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
> [hidden email]
> > >> >
> > >> >wrote:
> > >> >> Hi all,
> > >> >>
> > >> >> I have managed to create two sample OAuth aplications:
> > >> >> ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
> > >> >> and authorization server that uses CXF OAuth module:
> > >> >> http://www.cxfoauthserver.appspot.com
> > >> >>
> > >> >> Both sample applications and changes in oauth library are commited
> in
> > >> >> sandbox.
> > >> >>
> > >> >> OAuth configuration in sample authorization server app looks a bit
> > >> >> awfully but I think most of that can be hidden and done out of
> band.
> > >> >> There is still some areas in specification not covered by
> > >> >> implementation, so I would like to take care of that in next steps.
> > >> >>
> > >> >> Thanks in advance for some feedback.
> > >> >>
> > >> >> Cheers,
> > >> >> Lukasz
>
> --
> Daniel Kulp
> [hidden email]
> http://dankulp.com/blog
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Sergey Beryozkin
Hi

2010/7/29 Łukasz Moreń <[hidden email]>

> Hi,
>
> I'm still working on refactoring and changes in demo you suggested.
> I will likely update it tomorrow.
>
> I'll likely ask for some modifications but perhaps if you could start with
> > updating the demo
>
> such that a consumer initiates its own registration with the OAuth server.
>
>
> I'm going to put high effort on my GSoC project next weeks. I would really
> appreciate,
> if you would have some more modifications requests/directions which project
> should go, as you have limited time next week
> and current changes will not take long.
>
> From what I'm seeing, I need to cover spec with code, simplify
> configuration
> and do more testing.
>
>
I have to sign off now...Please update the demo so that the consumer
registers itself, plus supplies a callback itself with a request token
request, add README and it would let users start experimenting. IMHO the
initial phase can be considered complete once there's a demo there which can
show users what they need to do.

We can then discuss things further

cheers, Sergey



> Cheers,
> Lukasz
>
> 2010/7/29 Daniel Kulp <[hidden email]>
>
> >
> > You probably just need to change your deps to:
> >
> > geronimo-servlet_3.0_spec
> >
> >
> > Dan
> >
> >
> > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
> > > Hi Lucasz
> > >
> > > I can't build the oauth sandbox project, seeing
> > > [ERROR] FATAL ERROR
> > > [INFO]
> > >
> ------------------------------------------------------------------------
> > > [INFO] Error building POM (may not be this project's POM).
> > >
> > >
> > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> > > POM Location:
> > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > > Validation Messages:
> > >
> > >     [0]  'dependencies.dependency.version' is missing for
> > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> > >
> > >
> > > Reason: Failed to validate POM for project
> org.apache.cxf:cxf-rt-rs-oauth
> > > at /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > >
> > > so I can not review the latest merge, sorry. I could've tried to fix
> this
> > > issue but I'm not sure if you're finished with the refactoring just
> yet.
> > > I'll be travelling tomorrow and I'll have some very limited time during
> > the
> > > evenings next week but I'll try to provide some feedback at least
> > >
> > > cheers, Sergey
> > >
> > >
> > > 2010/7/26 Sergey Beryozkin <[hidden email]>
> > >
> > > > Hi Łukasz
> > > >
> > > > 2010/7/26 Łukasz Moreń <[hidden email]>
> > > >
> > > > Hi Sergey,
> > > >
> > > >> I'm really sorry for such commit, I know it shouldn't happen. I
> turned
> > > >> off checkstyle as i couldn't configure it properly on intellij and
> it
> > > >> was annoying during development.
> > > >> I will apply proper changes ASAP.
> > > >>
> > > >> no worries at all, I've broken the real builds with checkstyle
> errors
> > so
> > > >
> > > > many times and it is the CXF sandbox after :-)
> > > >
> > > >> According to the demo, I built it as usual web-app, if it worked,
> use
> > > >> this same sources to deploy on GAE.
> > > >> However because of GAE restrictions it always needs minor changes
> > > >> before deploy, i.e. GAE can't read configuration files such as:
> > > >> cxf-extension-http.xml
> > > >> from jars, so I copied it to WEB-INF folder.
> > > >> Commited to svn version does not depend on GAE SDK and can be run
> > > >> locally with jetty:run.
> > > >>
> > > >> Yes, I warned about server configuration part:). I will take care to
> > > >> make it simpler.
> > > >
> > > > I do not think it is too complicated - the simplification can be done
> > > > once the whole flow is sound...
> > > >
> > > >> So far, oauth consumer properties are hardcoded and injected into
> > > >> oauth provider, as I think it is not oauth library responsibility to
> > > >> deal with consumer registration.
> > > >> Hovewer for demo it would be good to have something like that. I
> would
> > > >> do registration form at the server as it is done by current big
> oauth
> > > >> implementations.
> > > >
> > > > I agree that conceptually the registration of consumers is a separate
> > > > issue. But it is part of the solution that users will be eventually
> > > > offering so just showing them that the consumers have to go and
> > register
> > > > themselves with help people with coming up with some custom
> > registration
> > > > forms, etc. The registration does not have to be done at the server
> > > > hosting the resource, it is just important for the OAuth provider be
> > > > able to get to the consumer details. I'm fine with assuming at the
> > > > moment that the registration handler is collocated with the
> > > > endpoints/providers enforcing OAuth flow.
> > > >
> > > > But the callback uri which is being injected at the moment should go
> > > > anyway given that it is part of the actual flow, specifically, the
> > > > consumer provides it during the request token request
> > > >
> > > >> Recently I've noticed that Camel have done oauth client as well:):
> > > >> http://camel.apache.org/tutorial-oauth.html
> > > >>
> > > >> Thanks much for review, and hints.
> > > >
> > > > thanks for your effort :-)
> > > >
> > > > Sergey
> > > >
> > > >> Cheers,
> > > >> Lukasz
> > > >>
> > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> > > >> > Hi Łukasz
> > > >> >
> > > >> > Sorry for a delay,  I should've come back earlier to you.
> > > >> >
> > > >> > I've run the demo hosted at the app engine and I think from the
> > > >>
> > > >> education
> > > >>
> > > >> > point of view it is a good demo and it is handy one does not even
> > has
> > > >> > to build anything in order to try it.
> > > >> >
> > > >> > I've had a problem building the rt/rs/oauth tests - there's a
> bunch
> > of
> > > >> > CheckStyle errors. Can you please build sandbox/oauth_1.0a from
> the
> > > >>
> > > >> trunk,
> > > >>
> > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn install' from
> > > >>
> > > >> rt/rs/ ?
> > > >>
> > > >> > One other thing, please move the demo to
> > > >> > "distribution/src/main/release/samples/" as well add Readme to it.
> > > >> >
> > > >> > Also I can not build the demo too, the client build fails with the
> > > >>
> > > >> following
> > > >>
> > > >> > dependency missing
> > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> > > >> >
> > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have you
> built
> > it
> > > >>
> > > >> in
> > > >>
> > > >> > the GAE dev environment ?
> > > >> >
> > > >> > Can you please spend a bit of time on cleaning the build a bit :
> > > >> > - fix the checkstyle errors and move the demo to the
> > > >> > ""distribution/src/main/release/samples/"" area and also add
> Readme;
> > > >>
> > > >> after
> > > >>
> > > >> > building the distribution (mvn install in trunk/distribution) you
> > can
> > > >>
> > > >> easily
> > > >>
> > > >> > verify the demo can be run by locating in the target.
> > > >> > - add the oauth dependency in the parent pom so that the rs/oauth
> > > >> > module
> > > >>
> > > >> can
> > > >>
> > > >> > depend on it without specifying a version and have the demo client
> > > >>
> > > >> module
> > > >>
> > > >> > depending on rt/rs/oauth module instead (similarly to the server
> > one)
> > > >> > - during the main build please use the Spring version CXF depends
> > upon
> > > >>
> > > >> and
> > > >>
> > > >> > use its -Pspring3 profile to build for the deployment into GAE
> > > >> >
> > > >> > As far as the demo is concerned. I looked at the server part and
> it
> > > >>
> > > >> looks
> > > >>
> > > >> > complicated enough :-) but I think it makes sense to me. I'll
> likely
> > > >> > ask
> > > >>
> > > >> for
> > > >>
> > > >> > some modifications but perhaps if you could start with updating
> the
> > > >> > demo such that a consumer initiates its own registration with the
> > > >> > OAuth
> > > >>
> > > >> server :
> > > >> > I can see at the moment an oauth provider is injected with some
> > sample
> > > >> > consumer properties. I'm not sure what is the best way to do it :
> > may
> > > >> > be
> > > >>
> > > >> the
> > > >>
> > > >> > server can return a registration form or the client can just push
> > the
> > > >> > registration info itself.
> > > >> >
> > > >> > Overall I think it is a good progress indeed especially given the
> > > >>
> > > >> complexity
> > > >>
> > > >> > of the whole effort.
> > > >> >
> > > >> >
> > > >> >
> > > >> > thanks, Sergey
> > > >> >
> > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
> > [hidden email]
> > > >> >
> > > >> >wrote:
> > > >> >> Hi all,
> > > >> >>
> > > >> >> I have managed to create two sample OAuth aplications:
> > > >> >> ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
> > > >> >> and authorization server that uses CXF OAuth module:
> > > >> >> http://www.cxfoauthserver.appspot.com
> > > >> >>
> > > >> >> Both sample applications and changes in oauth library are
> commited
> > in
> > > >> >> sandbox.
> > > >> >>
> > > >> >> OAuth configuration in sample authorization server app looks a
> bit
> > > >> >> awfully but I think most of that can be hidden and done out of
> > band.
> > > >> >> There is still some areas in specification not covered by
> > > >> >> implementation, so I would like to take care of that in next
> steps.
> > > >> >>
> > > >> >> Thanks in advance for some feedback.
> > > >> >>
> > > >> >> Cheers,
> > > >> >> Lukasz
> >
> > --
> > Daniel Kulp
> > [hidden email]
> > http://dankulp.com/blog
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Łukasz Moreń
Hi,
I've committed changes I've made:
- added possibility to register new OAuth client applications at OAuth
server
- OAuth demos moved to distribution\src\main\samples\
- added README to OAuth demos
- fixes in pom.xml files

- fix the checkstyle errors and move the demo to the

""distribution/src/main/release/samples/"" area and also add Readme; after

building the distribution (mvn install in trunk/distribution) you can easily

verify the demo can be run by locating in the target.


fixed that, and added readme


> - add the oauth dependency in the parent pom so that the rs/oauth module
> can

depend on it without specifying a version and have the demo client module

depending on rt/rs/oauth module instead (similarly to the server one)


done, hovewer demo client don't need to depend on rt/rs/oauth as it doesn't
use cxf functionality, just on oauth libraries


> - during the main build please use the Spring version CXF depends upon and

use its -Pspring3 profile to build for the deployment into GAE


changed, both client and server demos needs to be build with -Pspring3 for
local jetty run and GAE as well.
Otherwise I would need use different spring config files for spring 2.5 and
3.0.x

Cheers, Lukasz

W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <[hidden email]
> napisał:

> Hi
>
> 2010/7/29 Łukasz Moreń <[hidden email]>
>
> > Hi,
> >
> > I'm still working on refactoring and changes in demo you suggested.
> > I will likely update it tomorrow.
> >
> > I'll likely ask for some modifications but perhaps if you could start
> with
> > > updating the demo
> >
> > such that a consumer initiates its own registration with the OAuth
> server.
> >
> >
> > I'm going to put high effort on my GSoC project next weeks. I would
> really
> > appreciate,
> > if you would have some more modifications requests/directions which
> project
> > should go, as you have limited time next week
> > and current changes will not take long.
> >
> > From what I'm seeing, I need to cover spec with code, simplify
> > configuration
> > and do more testing.
> >
> >
> I have to sign off now...Please update the demo so that the consumer
> registers itself, plus supplies a callback itself with a request token
> request, add README and it would let users start experimenting. IMHO the
> initial phase can be considered complete once there's a demo there which
> can
> show users what they need to do.
>
> We can then discuss things further
>
> cheers, Sergey
>
>
>
> > Cheers,
> > Lukasz
> >
> > 2010/7/29 Daniel Kulp <[hidden email]>
> >
> > >
> > > You probably just need to change your deps to:
> > >
> > > geronimo-servlet_3.0_spec
> > >
> > >
> > > Dan
> > >
> > >
> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
> > > > Hi Lucasz
> > > >
> > > > I can't build the oauth sandbox project, seeing
> > > > [ERROR] FATAL ERROR
> > > > [INFO]
> > > >
> > ------------------------------------------------------------------------
> > > > [INFO] Error building POM (may not be this project's POM).
> > > >
> > > >
> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> > > > POM Location:
> > > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > > > Validation Messages:
> > > >
> > > >     [0]  'dependencies.dependency.version' is missing for
> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> > > >
> > > >
> > > > Reason: Failed to validate POM for project
> > org.apache.cxf:cxf-rt-rs-oauth
> > > > at /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > > >
> > > > so I can not review the latest merge, sorry. I could've tried to fix
> > this
> > > > issue but I'm not sure if you're finished with the refactoring just
> > yet.
> > > > I'll be travelling tomorrow and I'll have some very limited time
> during
> > > the
> > > > evenings next week but I'll try to provide some feedback at least
> > > >
> > > > cheers, Sergey
> > > >
> > > >
> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
> > > >
> > > > > Hi Łukasz
> > > > >
> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
> > > > >
> > > > > Hi Sergey,
> > > > >
> > > > >> I'm really sorry for such commit, I know it shouldn't happen. I
> > turned
> > > > >> off checkstyle as i couldn't configure it properly on intellij and
> > it
> > > > >> was annoying during development.
> > > > >> I will apply proper changes ASAP.
> > > > >>
> > > > >> no worries at all, I've broken the real builds with checkstyle
> > errors
> > > so
> > > > >
> > > > > many times and it is the CXF sandbox after :-)
> > > > >
> > > > >> According to the demo, I built it as usual web-app, if it worked,
> > use
> > > > >> this same sources to deploy on GAE.
> > > > >> However because of GAE restrictions it always needs minor changes
> > > > >> before deploy, i.e. GAE can't read configuration files such as:
> > > > >> cxf-extension-http.xml
> > > > >> from jars, so I copied it to WEB-INF folder.
> > > > >> Commited to svn version does not depend on GAE SDK and can be run
> > > > >> locally with jetty:run.
> > > > >>
> > > > >> Yes, I warned about server configuration part:). I will take care
> to
> > > > >> make it simpler.
> > > > >
> > > > > I do not think it is too complicated - the simplification can be
> done
> > > > > once the whole flow is sound...
> > > > >
> > > > >> So far, oauth consumer properties are hardcoded and injected into
> > > > >> oauth provider, as I think it is not oauth library responsibility
> to
> > > > >> deal with consumer registration.
> > > > >> Hovewer for demo it would be good to have something like that. I
> > would
> > > > >> do registration form at the server as it is done by current big
> > oauth
> > > > >> implementations.
> > > > >
> > > > > I agree that conceptually the registration of consumers is a
> separate
> > > > > issue. But it is part of the solution that users will be eventually
> > > > > offering so just showing them that the consumers have to go and
> > > register
> > > > > themselves with help people with coming up with some custom
> > > registration
> > > > > forms, etc. The registration does not have to be done at the server
> > > > > hosting the resource, it is just important for the OAuth provider
> be
> > > > > able to get to the consumer details. I'm fine with assuming at the
> > > > > moment that the registration handler is collocated with the
> > > > > endpoints/providers enforcing OAuth flow.
> > > > >
> > > > > But the callback uri which is being injected at the moment should
> go
> > > > > anyway given that it is part of the actual flow, specifically, the
> > > > > consumer provides it during the request token request
> > > > >
> > > > >> Recently I've noticed that Camel have done oauth client as well:):
> > > > >> http://camel.apache.org/tutorial-oauth.html
> > > > >>
> > > > >> Thanks much for review, and hints.
> > > > >
> > > > > thanks for your effort :-)
> > > > >
> > > > > Sergey
> > > > >
> > > > >> Cheers,
> > > > >> Lukasz
> > > > >>
> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> > > > >> > Hi Łukasz
> > > > >> >
> > > > >> > Sorry for a delay,  I should've come back earlier to you.
> > > > >> >
> > > > >> > I've run the demo hosted at the app engine and I think from the
> > > > >>
> > > > >> education
> > > > >>
> > > > >> > point of view it is a good demo and it is handy one does not
> even
> > > has
> > > > >> > to build anything in order to try it.
> > > > >> >
> > > > >> > I've had a problem building the rt/rs/oauth tests - there's a
> > bunch
> > > of
> > > > >> > CheckStyle errors. Can you please build sandbox/oauth_1.0a from
> > the
> > > > >>
> > > > >> trunk,
> > > > >>
> > > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn install'
> from
> > > > >>
> > > > >> rt/rs/ ?
> > > > >>
> > > > >> > One other thing, please move the demo to
> > > > >> > "distribution/src/main/release/samples/" as well add Readme to
> it.
> > > > >> >
> > > > >> > Also I can not build the demo too, the client build fails with
> the
> > > > >>
> > > > >> following
> > > > >>
> > > > >> > dependency missing
> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> > > > >> >
> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have you
> > built
> > > it
> > > > >>
> > > > >> in
> > > > >>
> > > > >> > the GAE dev environment ?
> > > > >> >
> > > > >> > Can you please spend a bit of time on cleaning the build a bit :
> > > > >> > - fix the checkstyle errors and move the demo to the
> > > > >> > ""distribution/src/main/release/samples/"" area and also add
> > Readme;
> > > > >>
> > > > >> after
> > > > >>
> > > > >> > building the distribution (mvn install in trunk/distribution)
> you
> > > can
> > > > >>
> > > > >> easily
> > > > >>
> > > > >> > verify the demo can be run by locating in the target.
> > > > >> > - add the oauth dependency in the parent pom so that the
> rs/oauth
> > > > >> > module
> > > > >>
> > > > >> can
> > > > >>
> > > > >> > depend on it without specifying a version and have the demo
> client
> > > > >>
> > > > >> module
> > > > >>
> > > > >> > depending on rt/rs/oauth module instead (similarly to the server
> > > one)
> > > > >> > - during the main build please use the Spring version CXF
> depends
> > > upon
> > > > >>
> > > > >> and
> > > > >>
> > > > >> > use its -Pspring3 profile to build for the deployment into GAE
> > > > >> >
> > > > >> > As far as the demo is concerned. I looked at the server part and
> > it
> > > > >>
> > > > >> looks
> > > > >>
> > > > >> > complicated enough :-) but I think it makes sense to me. I'll
> > likely
> > > > >> > ask
> > > > >>
> > > > >> for
> > > > >>
> > > > >> > some modifications but perhaps if you could start with updating
> > the
> > > > >> > demo such that a consumer initiates its own registration with
> the
> > > > >> > OAuth
> > > > >>
> > > > >> server :
> > > > >> > I can see at the moment an oauth provider is injected with some
> > > sample
> > > > >> > consumer properties. I'm not sure what is the best way to do it
> :
> > > may
> > > > >> > be
> > > > >>
> > > > >> the
> > > > >>
> > > > >> > server can return a registration form or the client can just
> push
> > > the
> > > > >> > registration info itself.
> > > > >> >
> > > > >> > Overall I think it is a good progress indeed especially given
> the
> > > > >>
> > > > >> complexity
> > > > >>
> > > > >> > of the whole effort.
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> > thanks, Sergey
> > > > >> >
> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
> > > [hidden email]
> > > > >> >
> > > > >> >wrote:
> > > > >> >> Hi all,
> > > > >> >>
> > > > >> >> I have managed to create two sample OAuth aplications:
> > > > >> >> ordinary OAuth 1.0a client: http://www.oauthclient.appspot.com
> > > > >> >> and authorization server that uses CXF OAuth module:
> > > > >> >> http://www.cxfoauthserver.appspot.com
> > > > >> >>
> > > > >> >> Both sample applications and changes in oauth library are
> > commited
> > > in
> > > > >> >> sandbox.
> > > > >> >>
> > > > >> >> OAuth configuration in sample authorization server app looks a
> > bit
> > > > >> >> awfully but I think most of that can be hidden and done out of
> > > band.
> > > > >> >> There is still some areas in specification not covered by
> > > > >> >> implementation, so I would like to take care of that in next
> > steps.
> > > > >> >>
> > > > >> >> Thanks in advance for some feedback.
> > > > >> >>
> > > > >> >> Cheers,
> > > > >> >> Lukasz
> > >
> > > --
> > > Daniel Kulp
> > > [hidden email]
> > > http://dankulp.com/blog
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Łukasz Moreń
>
> Please update the demo so that the consume

registers itself, plus supplies a callback itself with a request token
>  request


callback url is passed in this request, however this request is done in
backend through URLConnection so it's not visible at UI.

Cheers, Lukasz

W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <[hidden email]
> napisał:

> Hi,
> I've committed changes I've made:
> - added possibility to register new OAuth client applications at OAuth
> server
> - OAuth demos moved to distribution\src\main\samples\
> - added README to OAuth demos
> - fixes in pom.xml files
>
>  - fix the checkstyle errors and move the demo to the
>
> ""distribution/src/main/release/samples/"" area and also add Readme; after
>
> building the distribution (mvn install in trunk/distribution) you can
>> easily
>
> verify the demo can be run by locating in the target.
>
>
> fixed that, and added readme
>
>
>> - add the oauth dependency in the parent pom so that the rs/oauth module
>> can
>
> depend on it without specifying a version and have the demo client module
>
> depending on rt/rs/oauth module instead (similarly to the server one)
>
>
> done, hovewer demo client don't need to depend on rt/rs/oauth as it doesn't
> use cxf functionality, just on oauth libraries
>
>
>> - during the main build please use the Spring version CXF depends upon and
>
> use its -Pspring3 profile to build for the deployment into GAE
>
>
> changed, both client and server demos needs to be build with -Pspring3 for
> local jetty run and GAE as well.
> Otherwise I would need use different spring config files for spring 2.5 and
> 3.0.x
>
> Cheers, Lukasz
>
> W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
> [hidden email]> napisał:
>
> Hi
>>
>> 2010/7/29 Łukasz Moreń <[hidden email]>
>>
>> > Hi,
>> >
>> > I'm still working on refactoring and changes in demo you suggested.
>> > I will likely update it tomorrow.
>> >
>> > I'll likely ask for some modifications but perhaps if you could start
>> with
>> > > updating the demo
>> >
>> > such that a consumer initiates its own registration with the OAuth
>> server.
>> >
>> >
>> > I'm going to put high effort on my GSoC project next weeks. I would
>> really
>> > appreciate,
>> > if you would have some more modifications requests/directions which
>> project
>> > should go, as you have limited time next week
>> > and current changes will not take long.
>> >
>> > From what I'm seeing, I need to cover spec with code, simplify
>> > configuration
>> > and do more testing.
>> >
>> >
>> I have to sign off now...Please update the demo so that the consumer
>> registers itself, plus supplies a callback itself with a request token
>> request, add README and it would let users start experimenting. IMHO the
>> initial phase can be considered complete once there's a demo there which
>> can
>> show users what they need to do.
>>
>> We can then discuss things further
>>
>> cheers, Sergey
>>
>>
>>
>> > Cheers,
>> > Lukasz
>> >
>> > 2010/7/29 Daniel Kulp <[hidden email]>
>> >
>> > >
>> > > You probably just need to change your deps to:
>> > >
>> > > geronimo-servlet_3.0_spec
>> > >
>> > >
>> > > Dan
>> > >
>> > >
>> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
>> > > > Hi Lucasz
>> > > >
>> > > > I can't build the oauth sandbox project, seeing
>> > > > [ERROR] FATAL ERROR
>> > > > [INFO]
>> > > >
>> > ------------------------------------------------------------------------
>> > > > [INFO] Error building POM (may not be this project's POM).
>> > > >
>> > > >
>> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
>> > > > POM Location:
>> > > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
>> > > > Validation Messages:
>> > > >
>> > > >     [0]  'dependencies.dependency.version' is missing for
>> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
>> > > >
>> > > >
>> > > > Reason: Failed to validate POM for project
>> > org.apache.cxf:cxf-rt-rs-oauth
>> > > > at /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
>> > > >
>> > > > so I can not review the latest merge, sorry. I could've tried to fix
>> > this
>> > > > issue but I'm not sure if you're finished with the refactoring just
>> > yet.
>> > > > I'll be travelling tomorrow and I'll have some very limited time
>> during
>> > > the
>> > > > evenings next week but I'll try to provide some feedback at least
>> > > >
>> > > > cheers, Sergey
>> > > >
>> > > >
>> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
>> > > >
>> > > > > Hi Łukasz
>> > > > >
>> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
>> > > > >
>> > > > > Hi Sergey,
>> > > > >
>> > > > >> I'm really sorry for such commit, I know it shouldn't happen. I
>> > turned
>> > > > >> off checkstyle as i couldn't configure it properly on intellij
>> and
>> > it
>> > > > >> was annoying during development.
>> > > > >> I will apply proper changes ASAP.
>> > > > >>
>> > > > >> no worries at all, I've broken the real builds with checkstyle
>> > errors
>> > > so
>> > > > >
>> > > > > many times and it is the CXF sandbox after :-)
>> > > > >
>> > > > >> According to the demo, I built it as usual web-app, if it worked,
>> > use
>> > > > >> this same sources to deploy on GAE.
>> > > > >> However because of GAE restrictions it always needs minor changes
>> > > > >> before deploy, i.e. GAE can't read configuration files such as:
>> > > > >> cxf-extension-http.xml
>> > > > >> from jars, so I copied it to WEB-INF folder.
>> > > > >> Commited to svn version does not depend on GAE SDK and can be run
>> > > > >> locally with jetty:run.
>> > > > >>
>> > > > >> Yes, I warned about server configuration part:). I will take care
>> to
>> > > > >> make it simpler.
>> > > > >
>> > > > > I do not think it is too complicated - the simplification can be
>> done
>> > > > > once the whole flow is sound...
>> > > > >
>> > > > >> So far, oauth consumer properties are hardcoded and injected into
>> > > > >> oauth provider, as I think it is not oauth library responsibility
>> to
>> > > > >> deal with consumer registration.
>> > > > >> Hovewer for demo it would be good to have something like that. I
>> > would
>> > > > >> do registration form at the server as it is done by current big
>> > oauth
>> > > > >> implementations.
>> > > > >
>> > > > > I agree that conceptually the registration of consumers is a
>> separate
>> > > > > issue. But it is part of the solution that users will be
>> eventually
>> > > > > offering so just showing them that the consumers have to go and
>> > > register
>> > > > > themselves with help people with coming up with some custom
>> > > registration
>> > > > > forms, etc. The registration does not have to be done at the
>> server
>> > > > > hosting the resource, it is just important for the OAuth provider
>> be
>> > > > > able to get to the consumer details. I'm fine with assuming at the
>> > > > > moment that the registration handler is collocated with the
>> > > > > endpoints/providers enforcing OAuth flow.
>> > > > >
>> > > > > But the callback uri which is being injected at the moment should
>> go
>> > > > > anyway given that it is part of the actual flow, specifically, the
>> > > > > consumer provides it during the request token request
>> > > > >
>> > > > >> Recently I've noticed that Camel have done oauth client as
>> well:):
>> > > > >> http://camel.apache.org/tutorial-oauth.html
>> > > > >>
>> > > > >> Thanks much for review, and hints.
>> > > > >
>> > > > > thanks for your effort :-)
>> > > > >
>> > > > > Sergey
>> > > > >
>> > > > >> Cheers,
>> > > > >> Lukasz
>> > > > >>
>> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
>> > > > >> > Hi Łukasz
>> > > > >> >
>> > > > >> > Sorry for a delay,  I should've come back earlier to you.
>> > > > >> >
>> > > > >> > I've run the demo hosted at the app engine and I think from the
>> > > > >>
>> > > > >> education
>> > > > >>
>> > > > >> > point of view it is a good demo and it is handy one does not
>> even
>> > > has
>> > > > >> > to build anything in order to try it.
>> > > > >> >
>> > > > >> > I've had a problem building the rt/rs/oauth tests - there's a
>> > bunch
>> > > of
>> > > > >> > CheckStyle errors. Can you please build sandbox/oauth_1.0a from
>> > the
>> > > > >>
>> > > > >> trunk,
>> > > > >>
>> > > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn install'
>> from
>> > > > >>
>> > > > >> rt/rs/ ?
>> > > > >>
>> > > > >> > One other thing, please move the demo to
>> > > > >> > "distribution/src/main/release/samples/" as well add Readme to
>> it.
>> > > > >> >
>> > > > >> > Also I can not build the demo too, the client build fails with
>> the
>> > > > >>
>> > > > >> following
>> > > > >>
>> > > > >> > dependency missing
>> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
>> > > > >> >
>> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have you
>> > built
>> > > it
>> > > > >>
>> > > > >> in
>> > > > >>
>> > > > >> > the GAE dev environment ?
>> > > > >> >
>> > > > >> > Can you please spend a bit of time on cleaning the build a bit
>> :
>> > > > >> > - fix the checkstyle errors and move the demo to the
>> > > > >> > ""distribution/src/main/release/samples/"" area and also add
>> > Readme;
>> > > > >>
>> > > > >> after
>> > > > >>
>> > > > >> > building the distribution (mvn install in trunk/distribution)
>> you
>> > > can
>> > > > >>
>> > > > >> easily
>> > > > >>
>> > > > >> > verify the demo can be run by locating in the target.
>> > > > >> > - add the oauth dependency in the parent pom so that the
>> rs/oauth
>> > > > >> > module
>> > > > >>
>> > > > >> can
>> > > > >>
>> > > > >> > depend on it without specifying a version and have the demo
>> client
>> > > > >>
>> > > > >> module
>> > > > >>
>> > > > >> > depending on rt/rs/oauth module instead (similarly to the
>> server
>> > > one)
>> > > > >> > - during the main build please use the Spring version CXF
>> depends
>> > > upon
>> > > > >>
>> > > > >> and
>> > > > >>
>> > > > >> > use its -Pspring3 profile to build for the deployment into GAE
>> > > > >> >
>> > > > >> > As far as the demo is concerned. I looked at the server part
>> and
>> > it
>> > > > >>
>> > > > >> looks
>> > > > >>
>> > > > >> > complicated enough :-) but I think it makes sense to me. I'll
>> > likely
>> > > > >> > ask
>> > > > >>
>> > > > >> for
>> > > > >>
>> > > > >> > some modifications but perhaps if you could start with updating
>> > the
>> > > > >> > demo such that a consumer initiates its own registration with
>> the
>> > > > >> > OAuth
>> > > > >>
>> > > > >> server :
>> > > > >> > I can see at the moment an oauth provider is injected with some
>> > > sample
>> > > > >> > consumer properties. I'm not sure what is the best way to do it
>> :
>> > > may
>> > > > >> > be
>> > > > >>
>> > > > >> the
>> > > > >>
>> > > > >> > server can return a registration form or the client can just
>> push
>> > > the
>> > > > >> > registration info itself.
>> > > > >> >
>> > > > >> > Overall I think it is a good progress indeed especially given
>> the
>> > > > >>
>> > > > >> complexity
>> > > > >>
>> > > > >> > of the whole effort.
>> > > > >> >
>> > > > >> >
>> > > > >> >
>> > > > >> > thanks, Sergey
>> > > > >> >
>> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
>> > > [hidden email]
>> > > > >> >
>> > > > >> >wrote:
>> > > > >> >> Hi all,
>> > > > >> >>
>> > > > >> >> I have managed to create two sample OAuth aplications:
>> > > > >> >> ordinary OAuth 1.0a client:
>> http://www.oauthclient.appspot.com
>> > > > >> >> and authorization server that uses CXF OAuth module:
>> > > > >> >> http://www.cxfoauthserver.appspot.com
>> > > > >> >>
>> > > > >> >> Both sample applications and changes in oauth library are
>> > commited
>> > > in
>> > > > >> >> sandbox.
>> > > > >> >>
>> > > > >> >> OAuth configuration in sample authorization server app looks a
>> > bit
>> > > > >> >> awfully but I think most of that can be hidden and done out of
>> > > band.
>> > > > >> >> There is still some areas in specification not covered by
>> > > > >> >> implementation, so I would like to take care of that in next
>> > steps.
>> > > > >> >>
>> > > > >> >> Thanks in advance for some feedback.
>> > > > >> >>
>> > > > >> >> Cheers,
>> > > > >> >> Lukasz
>> > >
>> > > --
>> > > Daniel Kulp
>> > > [hidden email]
>> > > http://dankulp.com/blog
>> > >
>> >
>>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Sergey Beryozkin
Hi Łukasz

can you please fix checkstyle errors in the demo...
Re the callback uri : I think one of the providers on the server is
configured with the callback URI

thanks, Sergey


2010/8/2 Łukasz Moreń <[hidden email]>

> >
> > Please update the demo so that the consume
>
> registers itself, plus supplies a callback itself with a request token
> >  request
>
>
> callback url is passed in this request, however this request is done in
> backend through URLConnection so it's not visible at UI.
>
> Cheers, Lukasz
>
> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
> [hidden email]
> > napisał:
>
> > Hi,
> > I've committed changes I've made:
> > - added possibility to register new OAuth client applications at OAuth
> > server
> > - OAuth demos moved to distribution\src\main\samples\
> > - added README to OAuth demos
> > - fixes in pom.xml files
> >
> >  - fix the checkstyle errors and move the demo to the
> >
> > ""distribution/src/main/release/samples/"" area and also add Readme;
> after
> >
> > building the distribution (mvn install in trunk/distribution) you can
> >> easily
> >
> > verify the demo can be run by locating in the target.
> >
> >
> > fixed that, and added readme
> >
> >
> >> - add the oauth dependency in the parent pom so that the rs/oauth module
> >> can
> >
> > depend on it without specifying a version and have the demo client module
> >
> > depending on rt/rs/oauth module instead (similarly to the server one)
> >
> >
> > done, hovewer demo client don't need to depend on rt/rs/oauth as it
> doesn't
> > use cxf functionality, just on oauth libraries
> >
> >
> >> - during the main build please use the Spring version CXF depends upon
> and
> >
> > use its -Pspring3 profile to build for the deployment into GAE
> >
> >
> > changed, both client and server demos needs to be build with -Pspring3
> for
> > local jetty run and GAE as well.
> > Otherwise I would need use different spring config files for spring 2.5
> and
> > 3.0.x
> >
> > Cheers, Lukasz
> >
> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
> > [hidden email]> napisał:
> >
> > Hi
> >>
> >> 2010/7/29 Łukasz Moreń <[hidden email]>
> >>
> >> > Hi,
> >> >
> >> > I'm still working on refactoring and changes in demo you suggested.
> >> > I will likely update it tomorrow.
> >> >
> >> > I'll likely ask for some modifications but perhaps if you could start
> >> with
> >> > > updating the demo
> >> >
> >> > such that a consumer initiates its own registration with the OAuth
> >> server.
> >> >
> >> >
> >> > I'm going to put high effort on my GSoC project next weeks. I would
> >> really
> >> > appreciate,
> >> > if you would have some more modifications requests/directions which
> >> project
> >> > should go, as you have limited time next week
> >> > and current changes will not take long.
> >> >
> >> > From what I'm seeing, I need to cover spec with code, simplify
> >> > configuration
> >> > and do more testing.
> >> >
> >> >
> >> I have to sign off now...Please update the demo so that the consumer
> >> registers itself, plus supplies a callback itself with a request token
> >> request, add README and it would let users start experimenting. IMHO the
> >> initial phase can be considered complete once there's a demo there which
> >> can
> >> show users what they need to do.
> >>
> >> We can then discuss things further
> >>
> >> cheers, Sergey
> >>
> >>
> >>
> >> > Cheers,
> >> > Lukasz
> >> >
> >> > 2010/7/29 Daniel Kulp <[hidden email]>
> >> >
> >> > >
> >> > > You probably just need to change your deps to:
> >> > >
> >> > > geronimo-servlet_3.0_spec
> >> > >
> >> > >
> >> > > Dan
> >> > >
> >> > >
> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
> >> > > > Hi Lucasz
> >> > > >
> >> > > > I can't build the oauth sandbox project, seeing
> >> > > > [ERROR] FATAL ERROR
> >> > > > [INFO]
> >> > > >
> >> >
> ------------------------------------------------------------------------
> >> > > > [INFO] Error building POM (may not be this project's POM).
> >> > > >
> >> > > >
> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> >> > > > POM Location:
> >> > > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> >> > > > Validation Messages:
> >> > > >
> >> > > >     [0]  'dependencies.dependency.version' is missing for
> >> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> >> > > >
> >> > > >
> >> > > > Reason: Failed to validate POM for project
> >> > org.apache.cxf:cxf-rt-rs-oauth
> >> > > > at
> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> >> > > >
> >> > > > so I can not review the latest merge, sorry. I could've tried to
> fix
> >> > this
> >> > > > issue but I'm not sure if you're finished with the refactoring
> just
> >> > yet.
> >> > > > I'll be travelling tomorrow and I'll have some very limited time
> >> during
> >> > > the
> >> > > > evenings next week but I'll try to provide some feedback at least
> >> > > >
> >> > > > cheers, Sergey
> >> > > >
> >> > > >
> >> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
> >> > > >
> >> > > > > Hi Łukasz
> >> > > > >
> >> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
> >> > > > >
> >> > > > > Hi Sergey,
> >> > > > >
> >> > > > >> I'm really sorry for such commit, I know it shouldn't happen. I
> >> > turned
> >> > > > >> off checkstyle as i couldn't configure it properly on intellij
> >> and
> >> > it
> >> > > > >> was annoying during development.
> >> > > > >> I will apply proper changes ASAP.
> >> > > > >>
> >> > > > >> no worries at all, I've broken the real builds with checkstyle
> >> > errors
> >> > > so
> >> > > > >
> >> > > > > many times and it is the CXF sandbox after :-)
> >> > > > >
> >> > > > >> According to the demo, I built it as usual web-app, if it
> worked,
> >> > use
> >> > > > >> this same sources to deploy on GAE.
> >> > > > >> However because of GAE restrictions it always needs minor
> changes
> >> > > > >> before deploy, i.e. GAE can't read configuration files such as:
> >> > > > >> cxf-extension-http.xml
> >> > > > >> from jars, so I copied it to WEB-INF folder.
> >> > > > >> Commited to svn version does not depend on GAE SDK and can be
> run
> >> > > > >> locally with jetty:run.
> >> > > > >>
> >> > > > >> Yes, I warned about server configuration part:). I will take
> care
> >> to
> >> > > > >> make it simpler.
> >> > > > >
> >> > > > > I do not think it is too complicated - the simplification can be
> >> done
> >> > > > > once the whole flow is sound...
> >> > > > >
> >> > > > >> So far, oauth consumer properties are hardcoded and injected
> into
> >> > > > >> oauth provider, as I think it is not oauth library
> responsibility
> >> to
> >> > > > >> deal with consumer registration.
> >> > > > >> Hovewer for demo it would be good to have something like that.
> I
> >> > would
> >> > > > >> do registration form at the server as it is done by current big
> >> > oauth
> >> > > > >> implementations.
> >> > > > >
> >> > > > > I agree that conceptually the registration of consumers is a
> >> separate
> >> > > > > issue. But it is part of the solution that users will be
> >> eventually
> >> > > > > offering so just showing them that the consumers have to go and
> >> > > register
> >> > > > > themselves with help people with coming up with some custom
> >> > > registration
> >> > > > > forms, etc. The registration does not have to be done at the
> >> server
> >> > > > > hosting the resource, it is just important for the OAuth
> provider
> >> be
> >> > > > > able to get to the consumer details. I'm fine with assuming at
> the
> >> > > > > moment that the registration handler is collocated with the
> >> > > > > endpoints/providers enforcing OAuth flow.
> >> > > > >
> >> > > > > But the callback uri which is being injected at the moment
> should
> >> go
> >> > > > > anyway given that it is part of the actual flow, specifically,
> the
> >> > > > > consumer provides it during the request token request
> >> > > > >
> >> > > > >> Recently I've noticed that Camel have done oauth client as
> >> well:):
> >> > > > >> http://camel.apache.org/tutorial-oauth.html
> >> > > > >>
> >> > > > >> Thanks much for review, and hints.
> >> > > > >
> >> > > > > thanks for your effort :-)
> >> > > > >
> >> > > > > Sergey
> >> > > > >
> >> > > > >> Cheers,
> >> > > > >> Lukasz
> >> > > > >>
> >> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> >> > > > >> > Hi Łukasz
> >> > > > >> >
> >> > > > >> > Sorry for a delay,  I should've come back earlier to you.
> >> > > > >> >
> >> > > > >> > I've run the demo hosted at the app engine and I think from
> the
> >> > > > >>
> >> > > > >> education
> >> > > > >>
> >> > > > >> > point of view it is a good demo and it is handy one does not
> >> even
> >> > > has
> >> > > > >> > to build anything in order to try it.
> >> > > > >> >
> >> > > > >> > I've had a problem building the rt/rs/oauth tests - there's a
> >> > bunch
> >> > > of
> >> > > > >> > CheckStyle errors. Can you please build sandbox/oauth_1.0a
> from
> >> > the
> >> > > > >>
> >> > > > >> trunk,
> >> > > > >>
> >> > > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn install'
> >> from
> >> > > > >>
> >> > > > >> rt/rs/ ?
> >> > > > >>
> >> > > > >> > One other thing, please move the demo to
> >> > > > >> > "distribution/src/main/release/samples/" as well add Readme
> to
> >> it.
> >> > > > >> >
> >> > > > >> > Also I can not build the demo too, the client build fails
> with
> >> the
> >> > > > >>
> >> > > > >> following
> >> > > > >>
> >> > > > >> > dependency missing
> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> >> > > > >> >
> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have you
> >> > built
> >> > > it
> >> > > > >>
> >> > > > >> in
> >> > > > >>
> >> > > > >> > the GAE dev environment ?
> >> > > > >> >
> >> > > > >> > Can you please spend a bit of time on cleaning the build a
> bit
> >> :
> >> > > > >> > - fix the checkstyle errors and move the demo to the
> >> > > > >> > ""distribution/src/main/release/samples/"" area and also add
> >> > Readme;
> >> > > > >>
> >> > > > >> after
> >> > > > >>
> >> > > > >> > building the distribution (mvn install in trunk/distribution)
> >> you
> >> > > can
> >> > > > >>
> >> > > > >> easily
> >> > > > >>
> >> > > > >> > verify the demo can be run by locating in the target.
> >> > > > >> > - add the oauth dependency in the parent pom so that the
> >> rs/oauth
> >> > > > >> > module
> >> > > > >>
> >> > > > >> can
> >> > > > >>
> >> > > > >> > depend on it without specifying a version and have the demo
> >> client
> >> > > > >>
> >> > > > >> module
> >> > > > >>
> >> > > > >> > depending on rt/rs/oauth module instead (similarly to the
> >> server
> >> > > one)
> >> > > > >> > - during the main build please use the Spring version CXF
> >> depends
> >> > > upon
> >> > > > >>
> >> > > > >> and
> >> > > > >>
> >> > > > >> > use its -Pspring3 profile to build for the deployment into
> GAE
> >> > > > >> >
> >> > > > >> > As far as the demo is concerned. I looked at the server part
> >> and
> >> > it
> >> > > > >>
> >> > > > >> looks
> >> > > > >>
> >> > > > >> > complicated enough :-) but I think it makes sense to me. I'll
> >> > likely
> >> > > > >> > ask
> >> > > > >>
> >> > > > >> for
> >> > > > >>
> >> > > > >> > some modifications but perhaps if you could start with
> updating
> >> > the
> >> > > > >> > demo such that a consumer initiates its own registration with
> >> the
> >> > > > >> > OAuth
> >> > > > >>
> >> > > > >> server :
> >> > > > >> > I can see at the moment an oauth provider is injected with
> some
> >> > > sample
> >> > > > >> > consumer properties. I'm not sure what is the best way to do
> it
> >> :
> >> > > may
> >> > > > >> > be
> >> > > > >>
> >> > > > >> the
> >> > > > >>
> >> > > > >> > server can return a registration form or the client can just
> >> push
> >> > > the
> >> > > > >> > registration info itself.
> >> > > > >> >
> >> > > > >> > Overall I think it is a good progress indeed especially given
> >> the
> >> > > > >>
> >> > > > >> complexity
> >> > > > >>
> >> > > > >> > of the whole effort.
> >> > > > >> >
> >> > > > >> >
> >> > > > >> >
> >> > > > >> > thanks, Sergey
> >> > > > >> >
> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
> >> > > [hidden email]
> >> > > > >> >
> >> > > > >> >wrote:
> >> > > > >> >> Hi all,
> >> > > > >> >>
> >> > > > >> >> I have managed to create two sample OAuth aplications:
> >> > > > >> >> ordinary OAuth 1.0a client:
> >> http://www.oauthclient.appspot.com
> >> > > > >> >> and authorization server that uses CXF OAuth module:
> >> > > > >> >> http://www.cxfoauthserver.appspot.com
> >> > > > >> >>
> >> > > > >> >> Both sample applications and changes in oauth library are
> >> > commited
> >> > > in
> >> > > > >> >> sandbox.
> >> > > > >> >>
> >> > > > >> >> OAuth configuration in sample authorization server app looks
> a
> >> > bit
> >> > > > >> >> awfully but I think most of that can be hidden and done out
> of
> >> > > band.
> >> > > > >> >> There is still some areas in specification not covered by
> >> > > > >> >> implementation, so I would like to take care of that in next
> >> > steps.
> >> > > > >> >>
> >> > > > >> >> Thanks in advance for some feedback.
> >> > > > >> >>
> >> > > > >> >> Cheers,
> >> > > > >> >> Lukasz
> >> > >
> >> > > --
> >> > > Daniel Kulp
> >> > > [hidden email]
> >> > > http://dankulp.com/blog
> >> > >
> >> >
> >>
> >
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Sergey Beryozkin
Hi Łukasz

I can see the merges flowing :-), I'll be reviewing your work tonight;

to the list : we've exchanged few private emails to do with build issues I
was encountering and Łukasz
 addressed them fast; we also agreed that for the initial phase making a
demo easy to understand and build upon was the main goal...

cheers, Sergey

2010/8/5 Sergey Beryozkin <[hidden email]>

> Hi Łukasz
>
> can you please fix checkstyle errors in the demo...
> Re the callback uri : I think one of the providers on the server is
> configured with the callback URI
>
> thanks, Sergey
>
>
> 2010/8/2 Łukasz Moreń <[hidden email]>
>
> >
>> > Please update the demo so that the consume
>>
>> registers itself, plus supplies a callback itself with a request token
>> >  request
>>
>>
>> callback url is passed in this request, however this request is done in
>> backend through URLConnection so it's not visible at UI.
>>
>> Cheers, Lukasz
>>
>> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
>> [hidden email]
>> > napisał:
>>
>> > Hi,
>> > I've committed changes I've made:
>> > - added possibility to register new OAuth client applications at OAuth
>> > server
>> > - OAuth demos moved to distribution\src\main\samples\
>> > - added README to OAuth demos
>> > - fixes in pom.xml files
>> >
>> >  - fix the checkstyle errors and move the demo to the
>> >
>> > ""distribution/src/main/release/samples/"" area and also add Readme;
>> after
>> >
>> > building the distribution (mvn install in trunk/distribution) you can
>> >> easily
>> >
>> > verify the demo can be run by locating in the target.
>> >
>> >
>> > fixed that, and added readme
>> >
>> >
>> >> - add the oauth dependency in the parent pom so that the rs/oauth
>> module
>> >> can
>> >
>> > depend on it without specifying a version and have the demo client
>> module
>> >
>> > depending on rt/rs/oauth module instead (similarly to the server one)
>> >
>> >
>> > done, hovewer demo client don't need to depend on rt/rs/oauth as it
>> doesn't
>> > use cxf functionality, just on oauth libraries
>> >
>> >
>> >> - during the main build please use the Spring version CXF depends upon
>> and
>> >
>> > use its -Pspring3 profile to build for the deployment into GAE
>> >
>> >
>> > changed, both client and server demos needs to be build with -Pspring3
>> for
>> > local jetty run and GAE as well.
>> > Otherwise I would need use different spring config files for spring 2.5
>> and
>> > 3.0.x
>> >
>> > Cheers, Lukasz
>> >
>> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
>> > [hidden email]> napisał:
>> >
>> > Hi
>> >>
>> >> 2010/7/29 Łukasz Moreń <[hidden email]>
>> >>
>> >> > Hi,
>> >> >
>> >> > I'm still working on refactoring and changes in demo you suggested.
>> >> > I will likely update it tomorrow.
>> >> >
>> >> > I'll likely ask for some modifications but perhaps if you could start
>> >> with
>> >> > > updating the demo
>> >> >
>> >> > such that a consumer initiates its own registration with the OAuth
>> >> server.
>> >> >
>> >> >
>> >> > I'm going to put high effort on my GSoC project next weeks. I would
>> >> really
>> >> > appreciate,
>> >> > if you would have some more modifications requests/directions which
>> >> project
>> >> > should go, as you have limited time next week
>> >> > and current changes will not take long.
>> >> >
>> >> > From what I'm seeing, I need to cover spec with code, simplify
>> >> > configuration
>> >> > and do more testing.
>> >> >
>> >> >
>> >> I have to sign off now...Please update the demo so that the consumer
>> >> registers itself, plus supplies a callback itself with a request token
>> >> request, add README and it would let users start experimenting. IMHO
>> the
>> >> initial phase can be considered complete once there's a demo there
>> which
>> >> can
>> >> show users what they need to do.
>> >>
>> >> We can then discuss things further
>> >>
>> >> cheers, Sergey
>> >>
>> >>
>> >>
>> >> > Cheers,
>> >> > Lukasz
>> >> >
>> >> > 2010/7/29 Daniel Kulp <[hidden email]>
>> >> >
>> >> > >
>> >> > > You probably just need to change your deps to:
>> >> > >
>> >> > > geronimo-servlet_3.0_spec
>> >> > >
>> >> > >
>> >> > > Dan
>> >> > >
>> >> > >
>> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
>> >> > > > Hi Lucasz
>> >> > > >
>> >> > > > I can't build the oauth sandbox project, seeing
>> >> > > > [ERROR] FATAL ERROR
>> >> > > > [INFO]
>> >> > > >
>> >> >
>> ------------------------------------------------------------------------
>> >> > > > [INFO] Error building POM (may not be this project's POM).
>> >> > > >
>> >> > > >
>> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
>> >> > > > POM Location:
>> >> > > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
>> >> > > > Validation Messages:
>> >> > > >
>> >> > > >     [0]  'dependencies.dependency.version' is missing for
>> >> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
>> >> > > >
>> >> > > >
>> >> > > > Reason: Failed to validate POM for project
>> >> > org.apache.cxf:cxf-rt-rs-oauth
>> >> > > > at
>> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
>> >> > > >
>> >> > > > so I can not review the latest merge, sorry. I could've tried to
>> fix
>> >> > this
>> >> > > > issue but I'm not sure if you're finished with the refactoring
>> just
>> >> > yet.
>> >> > > > I'll be travelling tomorrow and I'll have some very limited time
>> >> during
>> >> > > the
>> >> > > > evenings next week but I'll try to provide some feedback at least
>> >> > > >
>> >> > > > cheers, Sergey
>> >> > > >
>> >> > > >
>> >> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
>> >> > > >
>> >> > > > > Hi Łukasz
>> >> > > > >
>> >> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
>> >> > > > >
>> >> > > > > Hi Sergey,
>> >> > > > >
>> >> > > > >> I'm really sorry for such commit, I know it shouldn't happen.
>> I
>> >> > turned
>> >> > > > >> off checkstyle as i couldn't configure it properly on intellij
>> >> and
>> >> > it
>> >> > > > >> was annoying during development.
>> >> > > > >> I will apply proper changes ASAP.
>> >> > > > >>
>> >> > > > >> no worries at all, I've broken the real builds with checkstyle
>> >> > errors
>> >> > > so
>> >> > > > >
>> >> > > > > many times and it is the CXF sandbox after :-)
>> >> > > > >
>> >> > > > >> According to the demo, I built it as usual web-app, if it
>> worked,
>> >> > use
>> >> > > > >> this same sources to deploy on GAE.
>> >> > > > >> However because of GAE restrictions it always needs minor
>> changes
>> >> > > > >> before deploy, i.e. GAE can't read configuration files such
>> as:
>> >> > > > >> cxf-extension-http.xml
>> >> > > > >> from jars, so I copied it to WEB-INF folder.
>> >> > > > >> Commited to svn version does not depend on GAE SDK and can be
>> run
>> >> > > > >> locally with jetty:run.
>> >> > > > >>
>> >> > > > >> Yes, I warned about server configuration part:). I will take
>> care
>> >> to
>> >> > > > >> make it simpler.
>> >> > > > >
>> >> > > > > I do not think it is too complicated - the simplification can
>> be
>> >> done
>> >> > > > > once the whole flow is sound...
>> >> > > > >
>> >> > > > >> So far, oauth consumer properties are hardcoded and injected
>> into
>> >> > > > >> oauth provider, as I think it is not oauth library
>> responsibility
>> >> to
>> >> > > > >> deal with consumer registration.
>> >> > > > >> Hovewer for demo it would be good to have something like that.
>> I
>> >> > would
>> >> > > > >> do registration form at the server as it is done by current
>> big
>> >> > oauth
>> >> > > > >> implementations.
>> >> > > > >
>> >> > > > > I agree that conceptually the registration of consumers is a
>> >> separate
>> >> > > > > issue. But it is part of the solution that users will be
>> >> eventually
>> >> > > > > offering so just showing them that the consumers have to go and
>> >> > > register
>> >> > > > > themselves with help people with coming up with some custom
>> >> > > registration
>> >> > > > > forms, etc. The registration does not have to be done at the
>> >> server
>> >> > > > > hosting the resource, it is just important for the OAuth
>> provider
>> >> be
>> >> > > > > able to get to the consumer details. I'm fine with assuming at
>> the
>> >> > > > > moment that the registration handler is collocated with the
>> >> > > > > endpoints/providers enforcing OAuth flow.
>> >> > > > >
>> >> > > > > But the callback uri which is being injected at the moment
>> should
>> >> go
>> >> > > > > anyway given that it is part of the actual flow, specifically,
>> the
>> >> > > > > consumer provides it during the request token request
>> >> > > > >
>> >> > > > >> Recently I've noticed that Camel have done oauth client as
>> >> well:):
>> >> > > > >> http://camel.apache.org/tutorial-oauth.html
>> >> > > > >>
>> >> > > > >> Thanks much for review, and hints.
>> >> > > > >
>> >> > > > > thanks for your effort :-)
>> >> > > > >
>> >> > > > > Sergey
>> >> > > > >
>> >> > > > >> Cheers,
>> >> > > > >> Lukasz
>> >> > > > >>
>> >> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
>> >> > > > >> > Hi Łukasz
>> >> > > > >> >
>> >> > > > >> > Sorry for a delay,  I should've come back earlier to you.
>> >> > > > >> >
>> >> > > > >> > I've run the demo hosted at the app engine and I think from
>> the
>> >> > > > >>
>> >> > > > >> education
>> >> > > > >>
>> >> > > > >> > point of view it is a good demo and it is handy one does not
>> >> even
>> >> > > has
>> >> > > > >> > to build anything in order to try it.
>> >> > > > >> >
>> >> > > > >> > I've had a problem building the rt/rs/oauth tests - there's
>> a
>> >> > bunch
>> >> > > of
>> >> > > > >> > CheckStyle errors. Can you please build sandbox/oauth_1.0a
>> from
>> >> > the
>> >> > > > >>
>> >> > > > >> trunk,
>> >> > > > >>
>> >> > > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn
>> install'
>> >> from
>> >> > > > >>
>> >> > > > >> rt/rs/ ?
>> >> > > > >>
>> >> > > > >> > One other thing, please move the demo to
>> >> > > > >> > "distribution/src/main/release/samples/" as well add Readme
>> to
>> >> it.
>> >> > > > >> >
>> >> > > > >> > Also I can not build the demo too, the client build fails
>> with
>> >> the
>> >> > > > >>
>> >> > > > >> following
>> >> > > > >>
>> >> > > > >> > dependency missing
>> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
>> >> > > > >> >
>> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have
>> you
>> >> > built
>> >> > > it
>> >> > > > >>
>> >> > > > >> in
>> >> > > > >>
>> >> > > > >> > the GAE dev environment ?
>> >> > > > >> >
>> >> > > > >> > Can you please spend a bit of time on cleaning the build a
>> bit
>> >> :
>> >> > > > >> > - fix the checkstyle errors and move the demo to the
>> >> > > > >> > ""distribution/src/main/release/samples/"" area and also add
>> >> > Readme;
>> >> > > > >>
>> >> > > > >> after
>> >> > > > >>
>> >> > > > >> > building the distribution (mvn install in
>> trunk/distribution)
>> >> you
>> >> > > can
>> >> > > > >>
>> >> > > > >> easily
>> >> > > > >>
>> >> > > > >> > verify the demo can be run by locating in the target.
>> >> > > > >> > - add the oauth dependency in the parent pom so that the
>> >> rs/oauth
>> >> > > > >> > module
>> >> > > > >>
>> >> > > > >> can
>> >> > > > >>
>> >> > > > >> > depend on it without specifying a version and have the demo
>> >> client
>> >> > > > >>
>> >> > > > >> module
>> >> > > > >>
>> >> > > > >> > depending on rt/rs/oauth module instead (similarly to the
>> >> server
>> >> > > one)
>> >> > > > >> > - during the main build please use the Spring version CXF
>> >> depends
>> >> > > upon
>> >> > > > >>
>> >> > > > >> and
>> >> > > > >>
>> >> > > > >> > use its -Pspring3 profile to build for the deployment into
>> GAE
>> >> > > > >> >
>> >> > > > >> > As far as the demo is concerned. I looked at the server part
>> >> and
>> >> > it
>> >> > > > >>
>> >> > > > >> looks
>> >> > > > >>
>> >> > > > >> > complicated enough :-) but I think it makes sense to me.
>> I'll
>> >> > likely
>> >> > > > >> > ask
>> >> > > > >>
>> >> > > > >> for
>> >> > > > >>
>> >> > > > >> > some modifications but perhaps if you could start with
>> updating
>> >> > the
>> >> > > > >> > demo such that a consumer initiates its own registration
>> with
>> >> the
>> >> > > > >> > OAuth
>> >> > > > >>
>> >> > > > >> server :
>> >> > > > >> > I can see at the moment an oauth provider is injected with
>> some
>> >> > > sample
>> >> > > > >> > consumer properties. I'm not sure what is the best way to do
>> it
>> >> :
>> >> > > may
>> >> > > > >> > be
>> >> > > > >>
>> >> > > > >> the
>> >> > > > >>
>> >> > > > >> > server can return a registration form or the client can just
>> >> push
>> >> > > the
>> >> > > > >> > registration info itself.
>> >> > > > >> >
>> >> > > > >> > Overall I think it is a good progress indeed especially
>> given
>> >> the
>> >> > > > >>
>> >> > > > >> complexity
>> >> > > > >>
>> >> > > > >> > of the whole effort.
>> >> > > > >> >
>> >> > > > >> >
>> >> > > > >> >
>> >> > > > >> > thanks, Sergey
>> >> > > > >> >
>> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
>> >> > > [hidden email]
>> >> > > > >> >
>> >> > > > >> >wrote:
>> >> > > > >> >> Hi all,
>> >> > > > >> >>
>> >> > > > >> >> I have managed to create two sample OAuth aplications:
>> >> > > > >> >> ordinary OAuth 1.0a client:
>> >> http://www.oauthclient.appspot.com
>> >> > > > >> >> and authorization server that uses CXF OAuth module:
>> >> > > > >> >> http://www.cxfoauthserver.appspot.com
>> >> > > > >> >>
>> >> > > > >> >> Both sample applications and changes in oauth library are
>> >> > commited
>> >> > > in
>> >> > > > >> >> sandbox.
>> >> > > > >> >>
>> >> > > > >> >> OAuth configuration in sample authorization server app
>> looks a
>> >> > bit
>> >> > > > >> >> awfully but I think most of that can be hidden and done out
>> of
>> >> > > band.
>> >> > > > >> >> There is still some areas in specification not covered by
>> >> > > > >> >> implementation, so I would like to take care of that in
>> next
>> >> > steps.
>> >> > > > >> >>
>> >> > > > >> >> Thanks in advance for some feedback.
>> >> > > > >> >>
>> >> > > > >> >> Cheers,
>> >> > > > >> >> Lukasz
>> >> > >
>> >> > > --
>> >> > > Daniel Kulp
>> >> > > [hidden email]
>> >> > > http://dankulp.com/blog
>> >> > >
>> >> >
>> >>
>> >
>> >
>>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Łukasz Moreń
Hi Sergey,

I've added some improvements to demo and protocol implementation.
I hope this time build will be fine.

Cheers,
Lukasz

2010/8/13 Sergey Beryozkin <[hidden email]>

> Hi Łukasz
>
> I can see the merges flowing :-), I'll be reviewing your work tonight;
>
> to the list : we've exchanged few private emails to do with build issues I
> was encountering and Łukasz
>  addressed them fast; we also agreed that for the initial phase making a
> demo easy to understand and build upon was the main goal...
>
> cheers, Sergey
>
> 2010/8/5 Sergey Beryozkin <[hidden email]>
>
> > Hi Łukasz
> >
> > can you please fix checkstyle errors in the demo...
> > Re the callback uri : I think one of the providers on the server is
> > configured with the callback URI
> >
> > thanks, Sergey
> >
> >
> > 2010/8/2 Łukasz Moreń <[hidden email]>
> >
> > >
> >> > Please update the demo so that the consume
> >>
> >> registers itself, plus supplies a callback itself with a request token
> >> >  request
> >>
> >>
> >> callback url is passed in this request, however this request is done in
> >> backend through URLConnection so it's not visible at UI.
> >>
> >> Cheers, Lukasz
> >>
> >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
> >> [hidden email]
> >> > napisał:
> >>
> >> > Hi,
> >> > I've committed changes I've made:
> >> > - added possibility to register new OAuth client applications at OAuth
> >> > server
> >> > - OAuth demos moved to distribution\src\main\samples\
> >> > - added README to OAuth demos
> >> > - fixes in pom.xml files
> >> >
> >> >  - fix the checkstyle errors and move the demo to the
> >> >
> >> > ""distribution/src/main/release/samples/"" area and also add Readme;
> >> after
> >> >
> >> > building the distribution (mvn install in trunk/distribution) you can
> >> >> easily
> >> >
> >> > verify the demo can be run by locating in the target.
> >> >
> >> >
> >> > fixed that, and added readme
> >> >
> >> >
> >> >> - add the oauth dependency in the parent pom so that the rs/oauth
> >> module
> >> >> can
> >> >
> >> > depend on it without specifying a version and have the demo client
> >> module
> >> >
> >> > depending on rt/rs/oauth module instead (similarly to the server one)
> >> >
> >> >
> >> > done, hovewer demo client don't need to depend on rt/rs/oauth as it
> >> doesn't
> >> > use cxf functionality, just on oauth libraries
> >> >
> >> >
> >> >> - during the main build please use the Spring version CXF depends
> upon
> >> and
> >> >
> >> > use its -Pspring3 profile to build for the deployment into GAE
> >> >
> >> >
> >> > changed, both client and server demos needs to be build with -Pspring3
> >> for
> >> > local jetty run and GAE as well.
> >> > Otherwise I would need use different spring config files for spring
> 2.5
> >> and
> >> > 3.0.x
> >> >
> >> > Cheers, Lukasz
> >> >
> >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
> >> > [hidden email]> napisał:
> >> >
> >> > Hi
> >> >>
> >> >> 2010/7/29 Łukasz Moreń <[hidden email]>
> >> >>
> >> >> > Hi,
> >> >> >
> >> >> > I'm still working on refactoring and changes in demo you suggested.
> >> >> > I will likely update it tomorrow.
> >> >> >
> >> >> > I'll likely ask for some modifications but perhaps if you could
> start
> >> >> with
> >> >> > > updating the demo
> >> >> >
> >> >> > such that a consumer initiates its own registration with the OAuth
> >> >> server.
> >> >> >
> >> >> >
> >> >> > I'm going to put high effort on my GSoC project next weeks. I would
> >> >> really
> >> >> > appreciate,
> >> >> > if you would have some more modifications requests/directions which
> >> >> project
> >> >> > should go, as you have limited time next week
> >> >> > and current changes will not take long.
> >> >> >
> >> >> > From what I'm seeing, I need to cover spec with code, simplify
> >> >> > configuration
> >> >> > and do more testing.
> >> >> >
> >> >> >
> >> >> I have to sign off now...Please update the demo so that the consumer
> >> >> registers itself, plus supplies a callback itself with a request
> token
> >> >> request, add README and it would let users start experimenting. IMHO
> >> the
> >> >> initial phase can be considered complete once there's a demo there
> >> which
> >> >> can
> >> >> show users what they need to do.
> >> >>
> >> >> We can then discuss things further
> >> >>
> >> >> cheers, Sergey
> >> >>
> >> >>
> >> >>
> >> >> > Cheers,
> >> >> > Lukasz
> >> >> >
> >> >> > 2010/7/29 Daniel Kulp <[hidden email]>
> >> >> >
> >> >> > >
> >> >> > > You probably just need to change your deps to:
> >> >> > >
> >> >> > > geronimo-servlet_3.0_spec
> >> >> > >
> >> >> > >
> >> >> > > Dan
> >> >> > >
> >> >> > >
> >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
> >> >> > > > Hi Lucasz
> >> >> > > >
> >> >> > > > I can't build the oauth sandbox project, seeing
> >> >> > > > [ERROR] FATAL ERROR
> >> >> > > > [INFO]
> >> >> > > >
> >> >> >
> >> ------------------------------------------------------------------------
> >> >> > > > [INFO] Error building POM (may not be this project's POM).
> >> >> > > >
> >> >> > > >
> >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> >> >> > > > POM Location:
> >> >> > > >
> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> >> >> > > > Validation Messages:
> >> >> > > >
> >> >> > > >     [0]  'dependencies.dependency.version' is missing for
> >> >> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> >> >> > > >
> >> >> > > >
> >> >> > > > Reason: Failed to validate POM for project
> >> >> > org.apache.cxf:cxf-rt-rs-oauth
> >> >> > > > at
> >> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> >> >> > > >
> >> >> > > > so I can not review the latest merge, sorry. I could've tried
> to
> >> fix
> >> >> > this
> >> >> > > > issue but I'm not sure if you're finished with the refactoring
> >> just
> >> >> > yet.
> >> >> > > > I'll be travelling tomorrow and I'll have some very limited
> time
> >> >> during
> >> >> > > the
> >> >> > > > evenings next week but I'll try to provide some feedback at
> least
> >> >> > > >
> >> >> > > > cheers, Sergey
> >> >> > > >
> >> >> > > >
> >> >> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
> >> >> > > >
> >> >> > > > > Hi Łukasz
> >> >> > > > >
> >> >> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
> >> >> > > > >
> >> >> > > > > Hi Sergey,
> >> >> > > > >
> >> >> > > > >> I'm really sorry for such commit, I know it shouldn't
> happen.
> >> I
> >> >> > turned
> >> >> > > > >> off checkstyle as i couldn't configure it properly on
> intellij
> >> >> and
> >> >> > it
> >> >> > > > >> was annoying during development.
> >> >> > > > >> I will apply proper changes ASAP.
> >> >> > > > >>
> >> >> > > > >> no worries at all, I've broken the real builds with
> checkstyle
> >> >> > errors
> >> >> > > so
> >> >> > > > >
> >> >> > > > > many times and it is the CXF sandbox after :-)
> >> >> > > > >
> >> >> > > > >> According to the demo, I built it as usual web-app, if it
> >> worked,
> >> >> > use
> >> >> > > > >> this same sources to deploy on GAE.
> >> >> > > > >> However because of GAE restrictions it always needs minor
> >> changes
> >> >> > > > >> before deploy, i.e. GAE can't read configuration files such
> >> as:
> >> >> > > > >> cxf-extension-http.xml
> >> >> > > > >> from jars, so I copied it to WEB-INF folder.
> >> >> > > > >> Commited to svn version does not depend on GAE SDK and can
> be
> >> run
> >> >> > > > >> locally with jetty:run.
> >> >> > > > >>
> >> >> > > > >> Yes, I warned about server configuration part:). I will take
> >> care
> >> >> to
> >> >> > > > >> make it simpler.
> >> >> > > > >
> >> >> > > > > I do not think it is too complicated - the simplification can
> >> be
> >> >> done
> >> >> > > > > once the whole flow is sound...
> >> >> > > > >
> >> >> > > > >> So far, oauth consumer properties are hardcoded and injected
> >> into
> >> >> > > > >> oauth provider, as I think it is not oauth library
> >> responsibility
> >> >> to
> >> >> > > > >> deal with consumer registration.
> >> >> > > > >> Hovewer for demo it would be good to have something like
> that.
> >> I
> >> >> > would
> >> >> > > > >> do registration form at the server as it is done by current
> >> big
> >> >> > oauth
> >> >> > > > >> implementations.
> >> >> > > > >
> >> >> > > > > I agree that conceptually the registration of consumers is a
> >> >> separate
> >> >> > > > > issue. But it is part of the solution that users will be
> >> >> eventually
> >> >> > > > > offering so just showing them that the consumers have to go
> and
> >> >> > > register
> >> >> > > > > themselves with help people with coming up with some custom
> >> >> > > registration
> >> >> > > > > forms, etc. The registration does not have to be done at the
> >> >> server
> >> >> > > > > hosting the resource, it is just important for the OAuth
> >> provider
> >> >> be
> >> >> > > > > able to get to the consumer details. I'm fine with assuming
> at
> >> the
> >> >> > > > > moment that the registration handler is collocated with the
> >> >> > > > > endpoints/providers enforcing OAuth flow.
> >> >> > > > >
> >> >> > > > > But the callback uri which is being injected at the moment
> >> should
> >> >> go
> >> >> > > > > anyway given that it is part of the actual flow,
> specifically,
> >> the
> >> >> > > > > consumer provides it during the request token request
> >> >> > > > >
> >> >> > > > >> Recently I've noticed that Camel have done oauth client as
> >> >> well:):
> >> >> > > > >> http://camel.apache.org/tutorial-oauth.html
> >> >> > > > >>
> >> >> > > > >> Thanks much for review, and hints.
> >> >> > > > >
> >> >> > > > > thanks for your effort :-)
> >> >> > > > >
> >> >> > > > > Sergey
> >> >> > > > >
> >> >> > > > >> Cheers,
> >> >> > > > >> Lukasz
> >> >> > > > >>
> >> >> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> >> >> > > > >> > Hi Łukasz
> >> >> > > > >> >
> >> >> > > > >> > Sorry for a delay,  I should've come back earlier to you.
> >> >> > > > >> >
> >> >> > > > >> > I've run the demo hosted at the app engine and I think
> from
> >> the
> >> >> > > > >>
> >> >> > > > >> education
> >> >> > > > >>
> >> >> > > > >> > point of view it is a good demo and it is handy one does
> not
> >> >> even
> >> >> > > has
> >> >> > > > >> > to build anything in order to try it.
> >> >> > > > >> >
> >> >> > > > >> > I've had a problem building the rt/rs/oauth tests -
> there's
> >> a
> >> >> > bunch
> >> >> > > of
> >> >> > > > >> > CheckStyle errors. Can you please build sandbox/oauth_1.0a
> >> from
> >> >> > the
> >> >> > > > >>
> >> >> > > > >> trunk,
> >> >> > > > >>
> >> >> > > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn
> >> install'
> >> >> from
> >> >> > > > >>
> >> >> > > > >> rt/rs/ ?
> >> >> > > > >>
> >> >> > > > >> > One other thing, please move the demo to
> >> >> > > > >> > "distribution/src/main/release/samples/" as well add
> Readme
> >> to
> >> >> it.
> >> >> > > > >> >
> >> >> > > > >> > Also I can not build the demo too, the client build fails
> >> with
> >> >> the
> >> >> > > > >>
> >> >> > > > >> following
> >> >> > > > >>
> >> >> > > > >> > dependency missing
> >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> >> >> > > > >> >
> >> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom, have
> >> you
> >> >> > built
> >> >> > > it
> >> >> > > > >>
> >> >> > > > >> in
> >> >> > > > >>
> >> >> > > > >> > the GAE dev environment ?
> >> >> > > > >> >
> >> >> > > > >> > Can you please spend a bit of time on cleaning the build a
> >> bit
> >> >> :
> >> >> > > > >> > - fix the checkstyle errors and move the demo to the
> >> >> > > > >> > ""distribution/src/main/release/samples/"" area and also
> add
> >> >> > Readme;
> >> >> > > > >>
> >> >> > > > >> after
> >> >> > > > >>
> >> >> > > > >> > building the distribution (mvn install in
> >> trunk/distribution)
> >> >> you
> >> >> > > can
> >> >> > > > >>
> >> >> > > > >> easily
> >> >> > > > >>
> >> >> > > > >> > verify the demo can be run by locating in the target.
> >> >> > > > >> > - add the oauth dependency in the parent pom so that the
> >> >> rs/oauth
> >> >> > > > >> > module
> >> >> > > > >>
> >> >> > > > >> can
> >> >> > > > >>
> >> >> > > > >> > depend on it without specifying a version and have the
> demo
> >> >> client
> >> >> > > > >>
> >> >> > > > >> module
> >> >> > > > >>
> >> >> > > > >> > depending on rt/rs/oauth module instead (similarly to the
> >> >> server
> >> >> > > one)
> >> >> > > > >> > - during the main build please use the Spring version CXF
> >> >> depends
> >> >> > > upon
> >> >> > > > >>
> >> >> > > > >> and
> >> >> > > > >>
> >> >> > > > >> > use its -Pspring3 profile to build for the deployment into
> >> GAE
> >> >> > > > >> >
> >> >> > > > >> > As far as the demo is concerned. I looked at the server
> part
> >> >> and
> >> >> > it
> >> >> > > > >>
> >> >> > > > >> looks
> >> >> > > > >>
> >> >> > > > >> > complicated enough :-) but I think it makes sense to me.
> >> I'll
> >> >> > likely
> >> >> > > > >> > ask
> >> >> > > > >>
> >> >> > > > >> for
> >> >> > > > >>
> >> >> > > > >> > some modifications but perhaps if you could start with
> >> updating
> >> >> > the
> >> >> > > > >> > demo such that a consumer initiates its own registration
> >> with
> >> >> the
> >> >> > > > >> > OAuth
> >> >> > > > >>
> >> >> > > > >> server :
> >> >> > > > >> > I can see at the moment an oauth provider is injected with
> >> some
> >> >> > > sample
> >> >> > > > >> > consumer properties. I'm not sure what is the best way to
> do
> >> it
> >> >> :
> >> >> > > may
> >> >> > > > >> > be
> >> >> > > > >>
> >> >> > > > >> the
> >> >> > > > >>
> >> >> > > > >> > server can return a registration form or the client can
> just
> >> >> push
> >> >> > > the
> >> >> > > > >> > registration info itself.
> >> >> > > > >> >
> >> >> > > > >> > Overall I think it is a good progress indeed especially
> >> given
> >> >> the
> >> >> > > > >>
> >> >> > > > >> complexity
> >> >> > > > >>
> >> >> > > > >> > of the whole effort.
> >> >> > > > >> >
> >> >> > > > >> >
> >> >> > > > >> >
> >> >> > > > >> > thanks, Sergey
> >> >> > > > >> >
> >> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
> >> >> > > [hidden email]
> >> >> > > > >> >
> >> >> > > > >> >wrote:
> >> >> > > > >> >> Hi all,
> >> >> > > > >> >>
> >> >> > > > >> >> I have managed to create two sample OAuth aplications:
> >> >> > > > >> >> ordinary OAuth 1.0a client:
> >> >> http://www.oauthclient.appspot.com
> >> >> > > > >> >> and authorization server that uses CXF OAuth module:
> >> >> > > > >> >> http://www.cxfoauthserver.appspot.com
> >> >> > > > >> >>
> >> >> > > > >> >> Both sample applications and changes in oauth library are
> >> >> > commited
> >> >> > > in
> >> >> > > > >> >> sandbox.
> >> >> > > > >> >>
> >> >> > > > >> >> OAuth configuration in sample authorization server app
> >> looks a
> >> >> > bit
> >> >> > > > >> >> awfully but I think most of that can be hidden and done
> out
> >> of
> >> >> > > band.
> >> >> > > > >> >> There is still some areas in specification not covered by
> >> >> > > > >> >> implementation, so I would like to take care of that in
> >> next
> >> >> > steps.
> >> >> > > > >> >>
> >> >> > > > >> >> Thanks in advance for some feedback.
> >> >> > > > >> >>
> >> >> > > > >> >> Cheers,
> >> >> > > > >> >> Lukasz
> >> >> > >
> >> >> > > --
> >> >> > > Daniel Kulp
> >> >> > > [hidden email]
> >> >> > > http://dankulp.com/blog
> >> >> > >
> >> >> >
> >> >>
> >> >
> >> >
> >>
> >
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Sergey Beryozkin
Hi Lucasz

2010/8/13 Łukasz Moreń <[hidden email]>

> Hi Sergey,
>
> I've added some improvements to demo and protocol implementation.
> I hope this time build will be fine.
>
>
I've had no problems building this time. Thanks for sorting the build issues
out.
The only minor hitch is that I had to add
<relativePath>../../pom.xml</relativePath>
to both oauth client & server demo modules in order to build them. Not sure
if I could've built them by running
'mvn install' from  samples directly (in distribution/target/.../samples)
given that we also have to use -Pspring3. Not a big issue - please recheck
just in case...

So I've started server and client web apps and run the demo easily. So it's
all nearly there, and IMHO the project is in a good shape, as far as GSOC is
concerned. Hopefully you can continue on preparing it to the move to the
trunk :-)

Here're some comments to the existing demo - see if you could do anything
till 16th, if not then it can be dealt with later on.

The client registration form requires a user to register a callback URI. But
I understand that a callback URI is only provided by a client, when
requesting a temp/request token ? That said, requiring what I'd call a
'connect' or "reply-to" URI registered during the (secure) client
registration process may help with enforcing that the actual callback URI
provided by the client *matches* the one provided at the registration, using
a startsWith function. I've seen it in the Facebook docs and I also did
something similar in my own project - is this the idea ?
If yes - then please check it's a startsWith check that is used - but also
consider making providing a callback URI optional at the client registration
time.

The other thing is that a client key is also generated. This is probably
correct but I'm wondering would it make sense to let the consumer register
its own key but the authorization server to only generate the shared secret.
Consumer might also want to optionally provide its description such as
"OAuth 1.0 client" as in the demo, etc.  This might make it a bit simpler
for a client (i.e, it will only have to manage a shared secret).

In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0 like
thing where HTTPS is assumed ? I'd just consider removing this option and
have only hmac-sha1 left.

This is probably it so far. I'm not very excited about JSPs being used in
the demo :-) but I guess it is not too bad and shows something that many
people would consider doing in practice.

Overall it is a really good effort toward helping CXF users to
start/experiment with OAuth.

Thanks

Sergey


Cheers,

> Lukasz
>
> 2010/8/13 Sergey Beryozkin <[hidden email]>
>
> > Hi Łukasz
> >
> > I can see the merges flowing :-), I'll be reviewing your work tonight;
> >
> > to the list : we've exchanged few private emails to do with build issues
> I
> > was encountering and Łukasz
> >  addressed them fast; we also agreed that for the initial phase making a
> > demo easy to understand and build upon was the main goal...
> >
> > cheers, Sergey
> >
> > 2010/8/5 Sergey Beryozkin <[hidden email]>
> >
> > > Hi Łukasz
> > >
> > > can you please fix checkstyle errors in the demo...
> > > Re the callback uri : I think one of the providers on the server is
> > > configured with the callback URI
> > >
> > > thanks, Sergey
> > >
> > >
> > > 2010/8/2 Łukasz Moreń <[hidden email]>
> > >
> > > >
> > >> > Please update the demo so that the consume
> > >>
> > >> registers itself, plus supplies a callback itself with a request token
> > >> >  request
> > >>
> > >>
> > >> callback url is passed in this request, however this request is done
> in
> > >> backend through URLConnection so it's not visible at UI.
> > >>
> > >> Cheers, Lukasz
> > >>
> > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
> > >> [hidden email]
> > >> > napisał:
> > >>
> > >> > Hi,
> > >> > I've committed changes I've made:
> > >> > - added possibility to register new OAuth client applications at
> OAuth
> > >> > server
> > >> > - OAuth demos moved to distribution\src\main\samples\
> > >> > - added README to OAuth demos
> > >> > - fixes in pom.xml files
> > >> >
> > >> >  - fix the checkstyle errors and move the demo to the
> > >> >
> > >> > ""distribution/src/main/release/samples/"" area and also add Readme;
> > >> after
> > >> >
> > >> > building the distribution (mvn install in trunk/distribution) you
> can
> > >> >> easily
> > >> >
> > >> > verify the demo can be run by locating in the target.
> > >> >
> > >> >
> > >> > fixed that, and added readme
> > >> >
> > >> >
> > >> >> - add the oauth dependency in the parent pom so that the rs/oauth
> > >> module
> > >> >> can
> > >> >
> > >> > depend on it without specifying a version and have the demo client
> > >> module
> > >> >
> > >> > depending on rt/rs/oauth module instead (similarly to the server
> one)
> > >> >
> > >> >
> > >> > done, hovewer demo client don't need to depend on rt/rs/oauth as it
> > >> doesn't
> > >> > use cxf functionality, just on oauth libraries
> > >> >
> > >> >
> > >> >> - during the main build please use the Spring version CXF depends
> > upon
> > >> and
> > >> >
> > >> > use its -Pspring3 profile to build for the deployment into GAE
> > >> >
> > >> >
> > >> > changed, both client and server demos needs to be build with
> -Pspring3
> > >> for
> > >> > local jetty run and GAE as well.
> > >> > Otherwise I would need use different spring config files for spring
> > 2.5
> > >> and
> > >> > 3.0.x
> > >> >
> > >> > Cheers, Lukasz
> > >> >
> > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
> > >> > [hidden email]> napisał:
> > >> >
> > >> > Hi
> > >> >>
> > >> >> 2010/7/29 Łukasz Moreń <[hidden email]>
> > >> >>
> > >> >> > Hi,
> > >> >> >
> > >> >> > I'm still working on refactoring and changes in demo you
> suggested.
> > >> >> > I will likely update it tomorrow.
> > >> >> >
> > >> >> > I'll likely ask for some modifications but perhaps if you could
> > start
> > >> >> with
> > >> >> > > updating the demo
> > >> >> >
> > >> >> > such that a consumer initiates its own registration with the
> OAuth
> > >> >> server.
> > >> >> >
> > >> >> >
> > >> >> > I'm going to put high effort on my GSoC project next weeks. I
> would
> > >> >> really
> > >> >> > appreciate,
> > >> >> > if you would have some more modifications requests/directions
> which
> > >> >> project
> > >> >> > should go, as you have limited time next week
> > >> >> > and current changes will not take long.
> > >> >> >
> > >> >> > From what I'm seeing, I need to cover spec with code, simplify
> > >> >> > configuration
> > >> >> > and do more testing.
> > >> >> >
> > >> >> >
> > >> >> I have to sign off now...Please update the demo so that the
> consumer
> > >> >> registers itself, plus supplies a callback itself with a request
> > token
> > >> >> request, add README and it would let users start experimenting.
> IMHO
> > >> the
> > >> >> initial phase can be considered complete once there's a demo there
> > >> which
> > >> >> can
> > >> >> show users what they need to do.
> > >> >>
> > >> >> We can then discuss things further
> > >> >>
> > >> >> cheers, Sergey
> > >> >>
> > >> >>
> > >> >>
> > >> >> > Cheers,
> > >> >> > Lukasz
> > >> >> >
> > >> >> > 2010/7/29 Daniel Kulp <[hidden email]>
> > >> >> >
> > >> >> > >
> > >> >> > > You probably just need to change your deps to:
> > >> >> > >
> > >> >> > > geronimo-servlet_3.0_spec
> > >> >> > >
> > >> >> > >
> > >> >> > > Dan
> > >> >> > >
> > >> >> > >
> > >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
> > >> >> > > > Hi Lucasz
> > >> >> > > >
> > >> >> > > > I can't build the oauth sandbox project, seeing
> > >> >> > > > [ERROR] FATAL ERROR
> > >> >> > > > [INFO]
> > >> >> > > >
> > >> >> >
> > >>
> ------------------------------------------------------------------------
> > >> >> > > > [INFO] Error building POM (may not be this project's POM).
> > >> >> > > >
> > >> >> > > >
> > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> > >> >> > > > POM Location:
> > >> >> > > >
> > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > >> >> > > > Validation Messages:
> > >> >> > > >
> > >> >> > > >     [0]  'dependencies.dependency.version' is missing for
> > >> >> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> > >> >> > > >
> > >> >> > > >
> > >> >> > > > Reason: Failed to validate POM for project
> > >> >> > org.apache.cxf:cxf-rt-rs-oauth
> > >> >> > > > at
> > >> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > >> >> > > >
> > >> >> > > > so I can not review the latest merge, sorry. I could've tried
> > to
> > >> fix
> > >> >> > this
> > >> >> > > > issue but I'm not sure if you're finished with the
> refactoring
> > >> just
> > >> >> > yet.
> > >> >> > > > I'll be travelling tomorrow and I'll have some very limited
> > time
> > >> >> during
> > >> >> > > the
> > >> >> > > > evenings next week but I'll try to provide some feedback at
> > least
> > >> >> > > >
> > >> >> > > > cheers, Sergey
> > >> >> > > >
> > >> >> > > >
> > >> >> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
> > >> >> > > >
> > >> >> > > > > Hi Łukasz
> > >> >> > > > >
> > >> >> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
> > >> >> > > > >
> > >> >> > > > > Hi Sergey,
> > >> >> > > > >
> > >> >> > > > >> I'm really sorry for such commit, I know it shouldn't
> > happen.
> > >> I
> > >> >> > turned
> > >> >> > > > >> off checkstyle as i couldn't configure it properly on
> > intellij
> > >> >> and
> > >> >> > it
> > >> >> > > > >> was annoying during development.
> > >> >> > > > >> I will apply proper changes ASAP.
> > >> >> > > > >>
> > >> >> > > > >> no worries at all, I've broken the real builds with
> > checkstyle
> > >> >> > errors
> > >> >> > > so
> > >> >> > > > >
> > >> >> > > > > many times and it is the CXF sandbox after :-)
> > >> >> > > > >
> > >> >> > > > >> According to the demo, I built it as usual web-app, if it
> > >> worked,
> > >> >> > use
> > >> >> > > > >> this same sources to deploy on GAE.
> > >> >> > > > >> However because of GAE restrictions it always needs minor
> > >> changes
> > >> >> > > > >> before deploy, i.e. GAE can't read configuration files
> such
> > >> as:
> > >> >> > > > >> cxf-extension-http.xml
> > >> >> > > > >> from jars, so I copied it to WEB-INF folder.
> > >> >> > > > >> Commited to svn version does not depend on GAE SDK and can
> > be
> > >> run
> > >> >> > > > >> locally with jetty:run.
> > >> >> > > > >>
> > >> >> > > > >> Yes, I warned about server configuration part:). I will
> take
> > >> care
> > >> >> to
> > >> >> > > > >> make it simpler.
> > >> >> > > > >
> > >> >> > > > > I do not think it is too complicated - the simplification
> can
> > >> be
> > >> >> done
> > >> >> > > > > once the whole flow is sound...
> > >> >> > > > >
> > >> >> > > > >> So far, oauth consumer properties are hardcoded and
> injected
> > >> into
> > >> >> > > > >> oauth provider, as I think it is not oauth library
> > >> responsibility
> > >> >> to
> > >> >> > > > >> deal with consumer registration.
> > >> >> > > > >> Hovewer for demo it would be good to have something like
> > that.
> > >> I
> > >> >> > would
> > >> >> > > > >> do registration form at the server as it is done by
> current
> > >> big
> > >> >> > oauth
> > >> >> > > > >> implementations.
> > >> >> > > > >
> > >> >> > > > > I agree that conceptually the registration of consumers is
> a
> > >> >> separate
> > >> >> > > > > issue. But it is part of the solution that users will be
> > >> >> eventually
> > >> >> > > > > offering so just showing them that the consumers have to go
> > and
> > >> >> > > register
> > >> >> > > > > themselves with help people with coming up with some custom
> > >> >> > > registration
> > >> >> > > > > forms, etc. The registration does not have to be done at
> the
> > >> >> server
> > >> >> > > > > hosting the resource, it is just important for the OAuth
> > >> provider
> > >> >> be
> > >> >> > > > > able to get to the consumer details. I'm fine with assuming
> > at
> > >> the
> > >> >> > > > > moment that the registration handler is collocated with the
> > >> >> > > > > endpoints/providers enforcing OAuth flow.
> > >> >> > > > >
> > >> >> > > > > But the callback uri which is being injected at the moment
> > >> should
> > >> >> go
> > >> >> > > > > anyway given that it is part of the actual flow,
> > specifically,
> > >> the
> > >> >> > > > > consumer provides it during the request token request
> > >> >> > > > >
> > >> >> > > > >> Recently I've noticed that Camel have done oauth client as
> > >> >> well:):
> > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html
> > >> >> > > > >>
> > >> >> > > > >> Thanks much for review, and hints.
> > >> >> > > > >
> > >> >> > > > > thanks for your effort :-)
> > >> >> > > > >
> > >> >> > > > > Sergey
> > >> >> > > > >
> > >> >> > > > >> Cheers,
> > >> >> > > > >> Lukasz
> > >> >> > > > >>
> > >> >> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> > >> >> > > > >> > Hi Łukasz
> > >> >> > > > >> >
> > >> >> > > > >> > Sorry for a delay,  I should've come back earlier to
> you.
> > >> >> > > > >> >
> > >> >> > > > >> > I've run the demo hosted at the app engine and I think
> > from
> > >> the
> > >> >> > > > >>
> > >> >> > > > >> education
> > >> >> > > > >>
> > >> >> > > > >> > point of view it is a good demo and it is handy one does
> > not
> > >> >> even
> > >> >> > > has
> > >> >> > > > >> > to build anything in order to try it.
> > >> >> > > > >> >
> > >> >> > > > >> > I've had a problem building the rt/rs/oauth tests -
> > there's
> > >> a
> > >> >> > bunch
> > >> >> > > of
> > >> >> > > > >> > CheckStyle errors. Can you please build
> sandbox/oauth_1.0a
> > >> from
> > >> >> > the
> > >> >> > > > >>
> > >> >> > > > >> trunk,
> > >> >> > > > >>
> > >> >> > > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn
> > >> install'
> > >> >> from
> > >> >> > > > >>
> > >> >> > > > >> rt/rs/ ?
> > >> >> > > > >>
> > >> >> > > > >> > One other thing, please move the demo to
> > >> >> > > > >> > "distribution/src/main/release/samples/" as well add
> > Readme
> > >> to
> > >> >> it.
> > >> >> > > > >> >
> > >> >> > > > >> > Also I can not build the demo too, the client build
> fails
> > >> with
> > >> >> the
> > >> >> > > > >>
> > >> >> > > > >> following
> > >> >> > > > >>
> > >> >> > > > >> > dependency missing
> > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> > >> >> > > > >> >
> > >> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom,
> have
> > >> you
> > >> >> > built
> > >> >> > > it
> > >> >> > > > >>
> > >> >> > > > >> in
> > >> >> > > > >>
> > >> >> > > > >> > the GAE dev environment ?
> > >> >> > > > >> >
> > >> >> > > > >> > Can you please spend a bit of time on cleaning the build
> a
> > >> bit
> > >> >> :
> > >> >> > > > >> > - fix the checkstyle errors and move the demo to the
> > >> >> > > > >> > ""distribution/src/main/release/samples/"" area and also
> > add
> > >> >> > Readme;
> > >> >> > > > >>
> > >> >> > > > >> after
> > >> >> > > > >>
> > >> >> > > > >> > building the distribution (mvn install in
> > >> trunk/distribution)
> > >> >> you
> > >> >> > > can
> > >> >> > > > >>
> > >> >> > > > >> easily
> > >> >> > > > >>
> > >> >> > > > >> > verify the demo can be run by locating in the target.
> > >> >> > > > >> > - add the oauth dependency in the parent pom so that the
> > >> >> rs/oauth
> > >> >> > > > >> > module
> > >> >> > > > >>
> > >> >> > > > >> can
> > >> >> > > > >>
> > >> >> > > > >> > depend on it without specifying a version and have the
> > demo
> > >> >> client
> > >> >> > > > >>
> > >> >> > > > >> module
> > >> >> > > > >>
> > >> >> > > > >> > depending on rt/rs/oauth module instead (similarly to
> the
> > >> >> server
> > >> >> > > one)
> > >> >> > > > >> > - during the main build please use the Spring version
> CXF
> > >> >> depends
> > >> >> > > upon
> > >> >> > > > >>
> > >> >> > > > >> and
> > >> >> > > > >>
> > >> >> > > > >> > use its -Pspring3 profile to build for the deployment
> into
> > >> GAE
> > >> >> > > > >> >
> > >> >> > > > >> > As far as the demo is concerned. I looked at the server
> > part
> > >> >> and
> > >> >> > it
> > >> >> > > > >>
> > >> >> > > > >> looks
> > >> >> > > > >>
> > >> >> > > > >> > complicated enough :-) but I think it makes sense to me.
> > >> I'll
> > >> >> > likely
> > >> >> > > > >> > ask
> > >> >> > > > >>
> > >> >> > > > >> for
> > >> >> > > > >>
> > >> >> > > > >> > some modifications but perhaps if you could start with
> > >> updating
> > >> >> > the
> > >> >> > > > >> > demo such that a consumer initiates its own registration
> > >> with
> > >> >> the
> > >> >> > > > >> > OAuth
> > >> >> > > > >>
> > >> >> > > > >> server :
> > >> >> > > > >> > I can see at the moment an oauth provider is injected
> with
> > >> some
> > >> >> > > sample
> > >> >> > > > >> > consumer properties. I'm not sure what is the best way
> to
> > do
> > >> it
> > >> >> :
> > >> >> > > may
> > >> >> > > > >> > be
> > >> >> > > > >>
> > >> >> > > > >> the
> > >> >> > > > >>
> > >> >> > > > >> > server can return a registration form or the client can
> > just
> > >> >> push
> > >> >> > > the
> > >> >> > > > >> > registration info itself.
> > >> >> > > > >> >
> > >> >> > > > >> > Overall I think it is a good progress indeed especially
> > >> given
> > >> >> the
> > >> >> > > > >>
> > >> >> > > > >> complexity
> > >> >> > > > >>
> > >> >> > > > >> > of the whole effort.
> > >> >> > > > >> >
> > >> >> > > > >> >
> > >> >> > > > >> >
> > >> >> > > > >> > thanks, Sergey
> > >> >> > > > >> >
> > >> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
> > >> >> > > [hidden email]
> > >> >> > > > >> >
> > >> >> > > > >> >wrote:
> > >> >> > > > >> >> Hi all,
> > >> >> > > > >> >>
> > >> >> > > > >> >> I have managed to create two sample OAuth aplications:
> > >> >> > > > >> >> ordinary OAuth 1.0a client:
> > >> >> http://www.oauthclient.appspot.com
> > >> >> > > > >> >> and authorization server that uses CXF OAuth module:
> > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com
> > >> >> > > > >> >>
> > >> >> > > > >> >> Both sample applications and changes in oauth library
> are
> > >> >> > commited
> > >> >> > > in
> > >> >> > > > >> >> sandbox.
> > >> >> > > > >> >>
> > >> >> > > > >> >> OAuth configuration in sample authorization server app
> > >> looks a
> > >> >> > bit
> > >> >> > > > >> >> awfully but I think most of that can be hidden and done
> > out
> > >> of
> > >> >> > > band.
> > >> >> > > > >> >> There is still some areas in specification not covered
> by
> > >> >> > > > >> >> implementation, so I would like to take care of that in
> > >> next
> > >> >> > steps.
> > >> >> > > > >> >>
> > >> >> > > > >> >> Thanks in advance for some feedback.
> > >> >> > > > >> >>
> > >> >> > > > >> >> Cheers,
> > >> >> > > > >> >> Lukasz
> > >> >> > >
> > >> >> > > --
> > >> >> > > Daniel Kulp
> > >> >> > > [hidden email]
> > >> >> > > http://dankulp.com/blog
> > >> >> > >
> > >> >> >
> > >> >>
> > >> >
> > >> >
> > >>
> > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Łukasz Moreń
Hi Sergey,

Thanks for feedback. More comments below.

2010/8/13 Sergey Beryozkin <[hidden email]>

> Hi Lucasz
>
> 2010/8/13 Łukasz Moreń <[hidden email]>
>
> > Hi Sergey,
> >
> > I've added some improvements to demo and protocol implementation.
> > I hope this time build will be fine.
> >
> >
> I've had no problems building this time. Thanks for sorting the build
> issues
> out.
> The only minor hitch is that I had to add
> <relativePath>../../pom.xml</relativePath>
> to both oauth client & server demo modules in order to build them. Not sure
> if I could've built them by running
> 'mvn install' from  samples directly (in distribution/target/.../samples)
> given that we also have to use -Pspring3. Not a big issue - please recheck
> just in case...
>

Yes, I think I need to add relativePath to pom.


>
> So I've started server and client web apps and run the demo easily. So it's
> all nearly there, and IMHO the project is in a good shape, as far as GSOC
> is
> concerned. Hopefully you can continue on preparing it to the move to the
> trunk :-)
>
> Here're some comments to the existing demo - see if you could do anything
> till 16th, if not then it can be dealt with later on.
>
>
I will try do to as much as possible till 16-th. There is still plenty to do
as I see from your commnets and
myself so missing things I will add later.



> The client registration form requires a user to register a callback URI.
> But
> I understand that a callback URI is only provided by a client, when
> requesting a temp/request token ? That said, requiring what I'd call a
> 'connect' or "reply-to" URI registered during the (secure) client
> registration process may help with enforcing that the actual callback URI
> provided by the client *matches* the one provided at the registration,
> using
> a startsWith function. I've seen it in the Facebook docs and I also did
> something similar in my own project - is this the idea ?
>
If yes - then please check it's a startsWith check that is used - but also

consider making providing a callback URI optional at the client registration

time


Yes, i used it for that reason. It can be jus passed with request token
request. All current OAuth 1.0 servers I've seen need to preregister
callback URI,
and as you said they check if both uri matches.
There is also possibility to pass 'oob' (out of band) value as callback URI
which means has been established via other means,
so then server use preregistered value. However I think this option is used
in case of native apps.
 .

> The other thing is that a client key is also generated. This is probably
> correct but I'm wondering would it make sense to let the consumer register
> its own key but the authorization server to only generate the shared
> secret.
> Consumer might also want to optionally provide its description such as
> "OAuth 1.0 client" as in the demo, etc.  This might make it a bit simpler
> for a client (i.e, it will only have to manage a shared secret).
>

Yes I think it makes sense. So far consumer key is just hash from
application name and user who registers consumer.



> In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0 like
> thing where HTTPS is assumed ? I'd just consider removing this option and
> have only hmac-sha1 left.
>

I think it's something similar, however there is no signatures in OAuth 2.0
and  access_token is assumed to be short lived,
ideally one per request, issuing new tokens is done by refresh_token
parameter.


> This is probably it so far. I'm not very excited about JSPs being used in
> the demo :-) but I guess it is not too bad and shows something that many
> people would consider doing in practice.
>

I was not sure about using JSP's neither:), but I wanted to show basically
how oauth could be added to existing apps
 and hadn't other idea how to replace them.


>
> Overall it is a really good effort toward helping CXF users to
> start/experiment with OAuth.
>


Cheers,
Lukasz



>
> Thanks
>
> Sergey
>
>
> Cheers,
> > Lukasz
> >
> > 2010/8/13 Sergey Beryozkin <[hidden email]>
> >
> > > Hi Łukasz
> > >
> > > I can see the merges flowing :-), I'll be reviewing your work tonight;
> > >
> > > to the list : we've exchanged few private emails to do with build
> issues
> > I
> > > was encountering and Łukasz
> > >  addressed them fast; we also agreed that for the initial phase making
> a
> > > demo easy to understand and build upon was the main goal...
> > >
> > > cheers, Sergey
> > >
> > > 2010/8/5 Sergey Beryozkin <[hidden email]>
> > >
> > > > Hi Łukasz
> > > >
> > > > can you please fix checkstyle errors in the demo...
> > > > Re the callback uri : I think one of the providers on the server is
> > > > configured with the callback URI
> > > >
> > > > thanks, Sergey
> > > >
> > > >
> > > > 2010/8/2 Łukasz Moreń <[hidden email]>
> > > >
> > > > >
> > > >> > Please update the demo so that the consume
> > > >>
> > > >> registers itself, plus supplies a callback itself with a request
> token
> > > >> >  request
> > > >>
> > > >>
> > > >> callback url is passed in this request, however this request is done
> > in
> > > >> backend through URLConnection so it's not visible at UI.
> > > >>
> > > >> Cheers, Lukasz
> > > >>
> > > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
> > > >> [hidden email]
> > > >> > napisał:
> > > >>
> > > >> > Hi,
> > > >> > I've committed changes I've made:
> > > >> > - added possibility to register new OAuth client applications at
> > OAuth
> > > >> > server
> > > >> > - OAuth demos moved to distribution\src\main\samples\
> > > >> > - added README to OAuth demos
> > > >> > - fixes in pom.xml files
> > > >> >
> > > >> >  - fix the checkstyle errors and move the demo to the
> > > >> >
> > > >> > ""distribution/src/main/release/samples/"" area and also add
> Readme;
> > > >> after
> > > >> >
> > > >> > building the distribution (mvn install in trunk/distribution) you
> > can
> > > >> >> easily
> > > >> >
> > > >> > verify the demo can be run by locating in the target.
> > > >> >
> > > >> >
> > > >> > fixed that, and added readme
> > > >> >
> > > >> >
> > > >> >> - add the oauth dependency in the parent pom so that the rs/oauth
> > > >> module
> > > >> >> can
> > > >> >
> > > >> > depend on it without specifying a version and have the demo client
> > > >> module
> > > >> >
> > > >> > depending on rt/rs/oauth module instead (similarly to the server
> > one)
> > > >> >
> > > >> >
> > > >> > done, hovewer demo client don't need to depend on rt/rs/oauth as
> it
> > > >> doesn't
> > > >> > use cxf functionality, just on oauth libraries
> > > >> >
> > > >> >
> > > >> >> - during the main build please use the Spring version CXF depends
> > > upon
> > > >> and
> > > >> >
> > > >> > use its -Pspring3 profile to build for the deployment into GAE
> > > >> >
> > > >> >
> > > >> > changed, both client and server demos needs to be build with
> > -Pspring3
> > > >> for
> > > >> > local jetty run and GAE as well.
> > > >> > Otherwise I would need use different spring config files for
> spring
> > > 2.5
> > > >> and
> > > >> > 3.0.x
> > > >> >
> > > >> > Cheers, Lukasz
> > > >> >
> > > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
> > > >> > [hidden email]> napisał:
> > > >> >
> > > >> > Hi
> > > >> >>
> > > >> >> 2010/7/29 Łukasz Moreń <[hidden email]>
> > > >> >>
> > > >> >> > Hi,
> > > >> >> >
> > > >> >> > I'm still working on refactoring and changes in demo you
> > suggested.
> > > >> >> > I will likely update it tomorrow.
> > > >> >> >
> > > >> >> > I'll likely ask for some modifications but perhaps if you could
> > > start
> > > >> >> with
> > > >> >> > > updating the demo
> > > >> >> >
> > > >> >> > such that a consumer initiates its own registration with the
> > OAuth
> > > >> >> server.
> > > >> >> >
> > > >> >> >
> > > >> >> > I'm going to put high effort on my GSoC project next weeks. I
> > would
> > > >> >> really
> > > >> >> > appreciate,
> > > >> >> > if you would have some more modifications requests/directions
> > which
> > > >> >> project
> > > >> >> > should go, as you have limited time next week
> > > >> >> > and current changes will not take long.
> > > >> >> >
> > > >> >> > From what I'm seeing, I need to cover spec with code, simplify
> > > >> >> > configuration
> > > >> >> > and do more testing.
> > > >> >> >
> > > >> >> >
> > > >> >> I have to sign off now...Please update the demo so that the
> > consumer
> > > >> >> registers itself, plus supplies a callback itself with a request
> > > token
> > > >> >> request, add README and it would let users start experimenting.
> > IMHO
> > > >> the
> > > >> >> initial phase can be considered complete once there's a demo
> there
> > > >> which
> > > >> >> can
> > > >> >> show users what they need to do.
> > > >> >>
> > > >> >> We can then discuss things further
> > > >> >>
> > > >> >> cheers, Sergey
> > > >> >>
> > > >> >>
> > > >> >>
> > > >> >> > Cheers,
> > > >> >> > Lukasz
> > > >> >> >
> > > >> >> > 2010/7/29 Daniel Kulp <[hidden email]>
> > > >> >> >
> > > >> >> > >
> > > >> >> > > You probably just need to change your deps to:
> > > >> >> > >
> > > >> >> > > geronimo-servlet_3.0_spec
> > > >> >> > >
> > > >> >> > >
> > > >> >> > > Dan
> > > >> >> > >
> > > >> >> > >
> > > >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
> > > >> >> > > > Hi Lucasz
> > > >> >> > > >
> > > >> >> > > > I can't build the oauth sandbox project, seeing
> > > >> >> > > > [ERROR] FATAL ERROR
> > > >> >> > > > [INFO]
> > > >> >> > > >
> > > >> >> >
> > > >>
> > ------------------------------------------------------------------------
> > > >> >> > > > [INFO] Error building POM (may not be this project's POM).
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> > > >> >> > > > POM Location:
> > > >> >> > > >
> > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > > >> >> > > > Validation Messages:
> > > >> >> > > >
> > > >> >> > > >     [0]  'dependencies.dependency.version' is missing for
> > > >> >> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > > > Reason: Failed to validate POM for project
> > > >> >> > org.apache.cxf:cxf-rt-rs-oauth
> > > >> >> > > > at
> > > >> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > > >> >> > > >
> > > >> >> > > > so I can not review the latest merge, sorry. I could've
> tried
> > > to
> > > >> fix
> > > >> >> > this
> > > >> >> > > > issue but I'm not sure if you're finished with the
> > refactoring
> > > >> just
> > > >> >> > yet.
> > > >> >> > > > I'll be travelling tomorrow and I'll have some very limited
> > > time
> > > >> >> during
> > > >> >> > > the
> > > >> >> > > > evenings next week but I'll try to provide some feedback at
> > > least
> > > >> >> > > >
> > > >> >> > > > cheers, Sergey
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
> > > >> >> > > >
> > > >> >> > > > > Hi Łukasz
> > > >> >> > > > >
> > > >> >> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
> > > >> >> > > > >
> > > >> >> > > > > Hi Sergey,
> > > >> >> > > > >
> > > >> >> > > > >> I'm really sorry for such commit, I know it shouldn't
> > > happen.
> > > >> I
> > > >> >> > turned
> > > >> >> > > > >> off checkstyle as i couldn't configure it properly on
> > > intellij
> > > >> >> and
> > > >> >> > it
> > > >> >> > > > >> was annoying during development.
> > > >> >> > > > >> I will apply proper changes ASAP.
> > > >> >> > > > >>
> > > >> >> > > > >> no worries at all, I've broken the real builds with
> > > checkstyle
> > > >> >> > errors
> > > >> >> > > so
> > > >> >> > > > >
> > > >> >> > > > > many times and it is the CXF sandbox after :-)
> > > >> >> > > > >
> > > >> >> > > > >> According to the demo, I built it as usual web-app, if
> it
> > > >> worked,
> > > >> >> > use
> > > >> >> > > > >> this same sources to deploy on GAE.
> > > >> >> > > > >> However because of GAE restrictions it always needs
> minor
> > > >> changes
> > > >> >> > > > >> before deploy, i.e. GAE can't read configuration files
> > such
> > > >> as:
> > > >> >> > > > >> cxf-extension-http.xml
> > > >> >> > > > >> from jars, so I copied it to WEB-INF folder.
> > > >> >> > > > >> Commited to svn version does not depend on GAE SDK and
> can
> > > be
> > > >> run
> > > >> >> > > > >> locally with jetty:run.
> > > >> >> > > > >>
> > > >> >> > > > >> Yes, I warned about server configuration part:). I will
> > take
> > > >> care
> > > >> >> to
> > > >> >> > > > >> make it simpler.
> > > >> >> > > > >
> > > >> >> > > > > I do not think it is too complicated - the simplification
> > can
> > > >> be
> > > >> >> done
> > > >> >> > > > > once the whole flow is sound...
> > > >> >> > > > >
> > > >> >> > > > >> So far, oauth consumer properties are hardcoded and
> > injected
> > > >> into
> > > >> >> > > > >> oauth provider, as I think it is not oauth library
> > > >> responsibility
> > > >> >> to
> > > >> >> > > > >> deal with consumer registration.
> > > >> >> > > > >> Hovewer for demo it would be good to have something like
> > > that.
> > > >> I
> > > >> >> > would
> > > >> >> > > > >> do registration form at the server as it is done by
> > current
> > > >> big
> > > >> >> > oauth
> > > >> >> > > > >> implementations.
> > > >> >> > > > >
> > > >> >> > > > > I agree that conceptually the registration of consumers
> is
> > a
> > > >> >> separate
> > > >> >> > > > > issue. But it is part of the solution that users will be
> > > >> >> eventually
> > > >> >> > > > > offering so just showing them that the consumers have to
> go
> > > and
> > > >> >> > > register
> > > >> >> > > > > themselves with help people with coming up with some
> custom
> > > >> >> > > registration
> > > >> >> > > > > forms, etc. The registration does not have to be done at
> > the
> > > >> >> server
> > > >> >> > > > > hosting the resource, it is just important for the OAuth
> > > >> provider
> > > >> >> be
> > > >> >> > > > > able to get to the consumer details. I'm fine with
> assuming
> > > at
> > > >> the
> > > >> >> > > > > moment that the registration handler is collocated with
> the
> > > >> >> > > > > endpoints/providers enforcing OAuth flow.
> > > >> >> > > > >
> > > >> >> > > > > But the callback uri which is being injected at the
> moment
> > > >> should
> > > >> >> go
> > > >> >> > > > > anyway given that it is part of the actual flow,
> > > specifically,
> > > >> the
> > > >> >> > > > > consumer provides it during the request token request
> > > >> >> > > > >
> > > >> >> > > > >> Recently I've noticed that Camel have done oauth client
> as
> > > >> >> well:):
> > > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html
> > > >> >> > > > >>
> > > >> >> > > > >> Thanks much for review, and hints.
> > > >> >> > > > >
> > > >> >> > > > > thanks for your effort :-)
> > > >> >> > > > >
> > > >> >> > > > > Sergey
> > > >> >> > > > >
> > > >> >> > > > >> Cheers,
> > > >> >> > > > >> Lukasz
> > > >> >> > > > >>
> > > >> >> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> > > >> >> > > > >> > Hi Łukasz
> > > >> >> > > > >> >
> > > >> >> > > > >> > Sorry for a delay,  I should've come back earlier to
> > you.
> > > >> >> > > > >> >
> > > >> >> > > > >> > I've run the demo hosted at the app engine and I think
> > > from
> > > >> the
> > > >> >> > > > >>
> > > >> >> > > > >> education
> > > >> >> > > > >>
> > > >> >> > > > >> > point of view it is a good demo and it is handy one
> does
> > > not
> > > >> >> even
> > > >> >> > > has
> > > >> >> > > > >> > to build anything in order to try it.
> > > >> >> > > > >> >
> > > >> >> > > > >> > I've had a problem building the rt/rs/oauth tests -
> > > there's
> > > >> a
> > > >> >> > bunch
> > > >> >> > > of
> > > >> >> > > > >> > CheckStyle errors. Can you please build
> > sandbox/oauth_1.0a
> > > >> from
> > > >> >> > the
> > > >> >> > > > >>
> > > >> >> > > > >> trunk,
> > > >> >> > > > >>
> > > >> >> > > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn
> > > >> install'
> > > >> >> from
> > > >> >> > > > >>
> > > >> >> > > > >> rt/rs/ ?
> > > >> >> > > > >>
> > > >> >> > > > >> > One other thing, please move the demo to
> > > >> >> > > > >> > "distribution/src/main/release/samples/" as well add
> > > Readme
> > > >> to
> > > >> >> it.
> > > >> >> > > > >> >
> > > >> >> > > > >> > Also I can not build the demo too, the client build
> > fails
> > > >> with
> > > >> >> the
> > > >> >> > > > >>
> > > >> >> > > > >> following
> > > >> >> > > > >>
> > > >> >> > > > >> > dependency missing
> > > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> > > >> >> > > > >> >
> > > >> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom,
> > have
> > > >> you
> > > >> >> > built
> > > >> >> > > it
> > > >> >> > > > >>
> > > >> >> > > > >> in
> > > >> >> > > > >>
> > > >> >> > > > >> > the GAE dev environment ?
> > > >> >> > > > >> >
> > > >> >> > > > >> > Can you please spend a bit of time on cleaning the
> build
> > a
> > > >> bit
> > > >> >> :
> > > >> >> > > > >> > - fix the checkstyle errors and move the demo to the
> > > >> >> > > > >> > ""distribution/src/main/release/samples/"" area and
> also
> > > add
> > > >> >> > Readme;
> > > >> >> > > > >>
> > > >> >> > > > >> after
> > > >> >> > > > >>
> > > >> >> > > > >> > building the distribution (mvn install in
> > > >> trunk/distribution)
> > > >> >> you
> > > >> >> > > can
> > > >> >> > > > >>
> > > >> >> > > > >> easily
> > > >> >> > > > >>
> > > >> >> > > > >> > verify the demo can be run by locating in the target.
> > > >> >> > > > >> > - add the oauth dependency in the parent pom so that
> the
> > > >> >> rs/oauth
> > > >> >> > > > >> > module
> > > >> >> > > > >>
> > > >> >> > > > >> can
> > > >> >> > > > >>
> > > >> >> > > > >> > depend on it without specifying a version and have the
> > > demo
> > > >> >> client
> > > >> >> > > > >>
> > > >> >> > > > >> module
> > > >> >> > > > >>
> > > >> >> > > > >> > depending on rt/rs/oauth module instead (similarly to
> > the
> > > >> >> server
> > > >> >> > > one)
> > > >> >> > > > >> > - during the main build please use the Spring version
> > CXF
> > > >> >> depends
> > > >> >> > > upon
> > > >> >> > > > >>
> > > >> >> > > > >> and
> > > >> >> > > > >>
> > > >> >> > > > >> > use its -Pspring3 profile to build for the deployment
> > into
> > > >> GAE
> > > >> >> > > > >> >
> > > >> >> > > > >> > As far as the demo is concerned. I looked at the
> server
> > > part
> > > >> >> and
> > > >> >> > it
> > > >> >> > > > >>
> > > >> >> > > > >> looks
> > > >> >> > > > >>
> > > >> >> > > > >> > complicated enough :-) but I think it makes sense to
> me.
> > > >> I'll
> > > >> >> > likely
> > > >> >> > > > >> > ask
> > > >> >> > > > >>
> > > >> >> > > > >> for
> > > >> >> > > > >>
> > > >> >> > > > >> > some modifications but perhaps if you could start with
> > > >> updating
> > > >> >> > the
> > > >> >> > > > >> > demo such that a consumer initiates its own
> registration
> > > >> with
> > > >> >> the
> > > >> >> > > > >> > OAuth
> > > >> >> > > > >>
> > > >> >> > > > >> server :
> > > >> >> > > > >> > I can see at the moment an oauth provider is injected
> > with
> > > >> some
> > > >> >> > > sample
> > > >> >> > > > >> > consumer properties. I'm not sure what is the best way
> > to
> > > do
> > > >> it
> > > >> >> :
> > > >> >> > > may
> > > >> >> > > > >> > be
> > > >> >> > > > >>
> > > >> >> > > > >> the
> > > >> >> > > > >>
> > > >> >> > > > >> > server can return a registration form or the client
> can
> > > just
> > > >> >> push
> > > >> >> > > the
> > > >> >> > > > >> > registration info itself.
> > > >> >> > > > >> >
> > > >> >> > > > >> > Overall I think it is a good progress indeed
> especially
> > > >> given
> > > >> >> the
> > > >> >> > > > >>
> > > >> >> > > > >> complexity
> > > >> >> > > > >>
> > > >> >> > > > >> > of the whole effort.
> > > >> >> > > > >> >
> > > >> >> > > > >> >
> > > >> >> > > > >> >
> > > >> >> > > > >> > thanks, Sergey
> > > >> >> > > > >> >
> > > >> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
> > > >> >> > > [hidden email]
> > > >> >> > > > >> >
> > > >> >> > > > >> >wrote:
> > > >> >> > > > >> >> Hi all,
> > > >> >> > > > >> >>
> > > >> >> > > > >> >> I have managed to create two sample OAuth
> aplications:
> > > >> >> > > > >> >> ordinary OAuth 1.0a client:
> > > >> >> http://www.oauthclient.appspot.com
> > > >> >> > > > >> >> and authorization server that uses CXF OAuth module:
> > > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com
> > > >> >> > > > >> >>
> > > >> >> > > > >> >> Both sample applications and changes in oauth library
> > are
> > > >> >> > commited
> > > >> >> > > in
> > > >> >> > > > >> >> sandbox.
> > > >> >> > > > >> >>
> > > >> >> > > > >> >> OAuth configuration in sample authorization server
> app
> > > >> looks a
> > > >> >> > bit
> > > >> >> > > > >> >> awfully but I think most of that can be hidden and
> done
> > > out
> > > >> of
> > > >> >> > > band.
> > > >> >> > > > >> >> There is still some areas in specification not
> covered
> > by
> > > >> >> > > > >> >> implementation, so I would like to take care of that
> in
> > > >> next
> > > >> >> > steps.
> > > >> >> > > > >> >>
> > > >> >> > > > >> >> Thanks in advance for some feedback.
> > > >> >> > > > >> >>
> > > >> >> > > > >> >> Cheers,
> > > >> >> > > > >> >> Lukasz
> > > >> >> > >
> > > >> >> > > --
> > > >> >> > > Daniel Kulp
> > > >> >> > > [hidden email]
> > > >> >> > > http://dankulp.com/blog
> > > >> >> > >
> > > >> >> >
> > > >> >>
> > > >> >
> > > >> >
> > > >>
> > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Łukasz Moreń
Hi,

I've made changes in demo according to your comments.
I will do 'gsoc' tag on my branch to distinguish current gsoc work from
future changes, as today is 'firm pencil down' date.

I would like to do additional changes in oauth module.
Access token should be connected with some kind of 'scope' that specifies
a range of  resources it allows to access or operations to invoke.

For example in RestEasy implementation access token is associated with set
of principal roles.
If there is valid access token in the request, oauth filter set user roles
associated with token to ServletRequest and let pass it further.

I'm wondering how it can be done in cxf. I would appreciate some help on
that.

Cheers,
Lukasz

2010/8/14 Łukasz Moreń <[hidden email]>

> Hi Sergey,
>
> Thanks for feedback. More comments below.
>
> 2010/8/13 Sergey Beryozkin <[hidden email]>
>
>> Hi Lucasz
>>
>>
>> 2010/8/13 Łukasz Moreń <[hidden email]>
>>
>> > Hi Sergey,
>> >
>> > I've added some improvements to demo and protocol implementation.
>> > I hope this time build will be fine.
>> >
>> >
>> I've had no problems building this time. Thanks for sorting the build
>> issues
>> out.
>> The only minor hitch is that I had to add
>> <relativePath>../../pom.xml</relativePath>
>> to both oauth client & server demo modules in order to build them. Not
>> sure
>> if I could've built them by running
>> 'mvn install' from  samples directly (in distribution/target/.../samples)
>> given that we also have to use -Pspring3. Not a big issue - please recheck
>> just in case...
>>
>
> Yes, I think I need to add relativePath to pom.
>
>
>>
>> So I've started server and client web apps and run the demo easily. So
>> it's
>> all nearly there, and IMHO the project is in a good shape, as far as GSOC
>> is
>> concerned. Hopefully you can continue on preparing it to the move to the
>> trunk :-)
>>
>> Here're some comments to the existing demo - see if you could do anything
>> till 16th, if not then it can be dealt with later on.
>>
>>
> I will try do to as much as possible till 16-th. There is still plenty to
> do as I see from your commnets and
> myself so missing things I will add later.
>
>
>
>> The client registration form requires a user to register a callback URI.
>> But
>> I understand that a callback URI is only provided by a client, when
>> requesting a temp/request token ? That said, requiring what I'd call a
>> 'connect' or "reply-to" URI registered during the (secure) client
>> registration process may help with enforcing that the actual callback URI
>> provided by the client *matches* the one provided at the registration,
>> using
>> a startsWith function. I've seen it in the Facebook docs and I also did
>> something similar in my own project - is this the idea ?
>>
> If yes - then please check it's a startsWith check that is used - but also
>
> consider making providing a callback URI optional at the client
>> registration
>
> time
>
>
> Yes, i used it for that reason. It can be jus passed with request token
> request. All current OAuth 1.0 servers I've seen need to preregister
> callback URI,
> and as you said they check if both uri matches.
> There is also possibility to pass 'oob' (out of band) value as callback URI
> which means has been established via other means,
> so then server use preregistered value. However I think this option is used
> in case of native apps.
>  .
>
>> The other thing is that a client key is also generated. This is probably
>> correct but I'm wondering would it make sense to let the consumer register
>> its own key but the authorization server to only generate the shared
>> secret.
>> Consumer might also want to optionally provide its description such as
>> "OAuth 1.0 client" as in the demo, etc.  This might make it a bit simpler
>> for a client (i.e, it will only have to manage a shared secret).
>>
>
> Yes I think it makes sense. So far consumer key is just hash from
> application name and user who registers consumer.
>
>
>
>> In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0 like
>> thing where HTTPS is assumed ? I'd just consider removing this option and
>> have only hmac-sha1 left.
>>
>
> I think it's something similar, however there is no signatures in OAuth 2.0
> and  access_token is assumed to be short lived,
> ideally one per request, issuing new tokens is done by refresh_token
> parameter.
>
>
>> This is probably it so far. I'm not very excited about JSPs being used in
>> the demo :-) but I guess it is not too bad and shows something that many
>> people would consider doing in practice.
>>
>
> I was not sure about using JSP's neither:), but I wanted to show basically
> how oauth could be added to existing apps
>  and hadn't other idea how to replace them.
>
>
>>
>> Overall it is a really good effort toward helping CXF users to
>> start/experiment with OAuth.
>>
>
>
> Cheers,
> Lukasz
>
>
>
>>
>> Thanks
>>
>> Sergey
>>
>>
>> Cheers,
>> > Lukasz
>> >
>> > 2010/8/13 Sergey Beryozkin <[hidden email]>
>> >
>> > > Hi Łukasz
>> > >
>> > > I can see the merges flowing :-), I'll be reviewing your work tonight;
>> > >
>> > > to the list : we've exchanged few private emails to do with build
>> issues
>> > I
>> > > was encountering and Łukasz
>> > >  addressed them fast; we also agreed that for the initial phase making
>> a
>> > > demo easy to understand and build upon was the main goal...
>> > >
>> > > cheers, Sergey
>> > >
>> > > 2010/8/5 Sergey Beryozkin <[hidden email]>
>> > >
>> > > > Hi Łukasz
>> > > >
>> > > > can you please fix checkstyle errors in the demo...
>> > > > Re the callback uri : I think one of the providers on the server is
>> > > > configured with the callback URI
>> > > >
>> > > > thanks, Sergey
>> > > >
>> > > >
>> > > > 2010/8/2 Łukasz Moreń <[hidden email]>
>> > > >
>> > > > >
>> > > >> > Please update the demo so that the consume
>> > > >>
>> > > >> registers itself, plus supplies a callback itself with a request
>> token
>> > > >> >  request
>> > > >>
>> > > >>
>> > > >> callback url is passed in this request, however this request is
>> done
>> > in
>> > > >> backend through URLConnection so it's not visible at UI.
>> > > >>
>> > > >> Cheers, Lukasz
>> > > >>
>> > > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
>> > > >> [hidden email]
>> > > >> > napisał:
>> > > >>
>> > > >> > Hi,
>> > > >> > I've committed changes I've made:
>> > > >> > - added possibility to register new OAuth client applications at
>> > OAuth
>> > > >> > server
>> > > >> > - OAuth demos moved to distribution\src\main\samples\
>> > > >> > - added README to OAuth demos
>> > > >> > - fixes in pom.xml files
>> > > >> >
>> > > >> >  - fix the checkstyle errors and move the demo to the
>> > > >> >
>> > > >> > ""distribution/src/main/release/samples/"" area and also add
>> Readme;
>> > > >> after
>> > > >> >
>> > > >> > building the distribution (mvn install in trunk/distribution) you
>> > can
>> > > >> >> easily
>> > > >> >
>> > > >> > verify the demo can be run by locating in the target.
>> > > >> >
>> > > >> >
>> > > >> > fixed that, and added readme
>> > > >> >
>> > > >> >
>> > > >> >> - add the oauth dependency in the parent pom so that the
>> rs/oauth
>> > > >> module
>> > > >> >> can
>> > > >> >
>> > > >> > depend on it without specifying a version and have the demo
>> client
>> > > >> module
>> > > >> >
>> > > >> > depending on rt/rs/oauth module instead (similarly to the server
>> > one)
>> > > >> >
>> > > >> >
>> > > >> > done, hovewer demo client don't need to depend on rt/rs/oauth as
>> it
>> > > >> doesn't
>> > > >> > use cxf functionality, just on oauth libraries
>> > > >> >
>> > > >> >
>> > > >> >> - during the main build please use the Spring version CXF
>> depends
>> > > upon
>> > > >> and
>> > > >> >
>> > > >> > use its -Pspring3 profile to build for the deployment into GAE
>> > > >> >
>> > > >> >
>> > > >> > changed, both client and server demos needs to be build with
>> > -Pspring3
>> > > >> for
>> > > >> > local jetty run and GAE as well.
>> > > >> > Otherwise I would need use different spring config files for
>> spring
>> > > 2.5
>> > > >> and
>> > > >> > 3.0.x
>> > > >> >
>> > > >> > Cheers, Lukasz
>> > > >> >
>> > > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
>> > > >> > [hidden email]> napisał:
>> > > >> >
>> > > >> > Hi
>> > > >> >>
>> > > >> >> 2010/7/29 Łukasz Moreń <[hidden email]>
>> > > >> >>
>> > > >> >> > Hi,
>> > > >> >> >
>> > > >> >> > I'm still working on refactoring and changes in demo you
>> > suggested.
>> > > >> >> > I will likely update it tomorrow.
>> > > >> >> >
>> > > >> >> > I'll likely ask for some modifications but perhaps if you
>> could
>> > > start
>> > > >> >> with
>> > > >> >> > > updating the demo
>> > > >> >> >
>> > > >> >> > such that a consumer initiates its own registration with the
>> > OAuth
>> > > >> >> server.
>> > > >> >> >
>> > > >> >> >
>> > > >> >> > I'm going to put high effort on my GSoC project next weeks. I
>> > would
>> > > >> >> really
>> > > >> >> > appreciate,
>> > > >> >> > if you would have some more modifications requests/directions
>> > which
>> > > >> >> project
>> > > >> >> > should go, as you have limited time next week
>> > > >> >> > and current changes will not take long.
>> > > >> >> >
>> > > >> >> > From what I'm seeing, I need to cover spec with code, simplify
>> > > >> >> > configuration
>> > > >> >> > and do more testing.
>> > > >> >> >
>> > > >> >> >
>> > > >> >> I have to sign off now...Please update the demo so that the
>> > consumer
>> > > >> >> registers itself, plus supplies a callback itself with a request
>> > > token
>> > > >> >> request, add README and it would let users start experimenting.
>> > IMHO
>> > > >> the
>> > > >> >> initial phase can be considered complete once there's a demo
>> there
>> > > >> which
>> > > >> >> can
>> > > >> >> show users what they need to do.
>> > > >> >>
>> > > >> >> We can then discuss things further
>> > > >> >>
>> > > >> >> cheers, Sergey
>> > > >> >>
>> > > >> >>
>> > > >> >>
>> > > >> >> > Cheers,
>> > > >> >> > Lukasz
>> > > >> >> >
>> > > >> >> > 2010/7/29 Daniel Kulp <[hidden email]>
>> > > >> >> >
>> > > >> >> > >
>> > > >> >> > > You probably just need to change your deps to:
>> > > >> >> > >
>> > > >> >> > > geronimo-servlet_3.0_spec
>> > > >> >> > >
>> > > >> >> > >
>> > > >> >> > > Dan
>> > > >> >> > >
>> > > >> >> > >
>> > > >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin wrote:
>> > > >> >> > > > Hi Lucasz
>> > > >> >> > > >
>> > > >> >> > > > I can't build the oauth sandbox project, seeing
>> > > >> >> > > > [ERROR] FATAL ERROR
>> > > >> >> > > > [INFO]
>> > > >> >> > > >
>> > > >> >> >
>> > > >>
>> > ------------------------------------------------------------------------
>> > > >> >> > > > [INFO] Error building POM (may not be this project's POM).
>> > > >> >> > > >
>> > > >> >> > > >
>> > > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
>> > > >> >> > > > POM Location:
>> > > >> >> > > >
>> > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
>> > > >> >> > > > Validation Messages:
>> > > >> >> > > >
>> > > >> >> > > >     [0]  'dependencies.dependency.version' is missing for
>> > > >> >> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
>> > > >> >> > > >
>> > > >> >> > > >
>> > > >> >> > > > Reason: Failed to validate POM for project
>> > > >> >> > org.apache.cxf:cxf-rt-rs-oauth
>> > > >> >> > > > at
>> > > >> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
>> > > >> >> > > >
>> > > >> >> > > > so I can not review the latest merge, sorry. I could've
>> tried
>> > > to
>> > > >> fix
>> > > >> >> > this
>> > > >> >> > > > issue but I'm not sure if you're finished with the
>> > refactoring
>> > > >> just
>> > > >> >> > yet.
>> > > >> >> > > > I'll be travelling tomorrow and I'll have some very
>> limited
>> > > time
>> > > >> >> during
>> > > >> >> > > the
>> > > >> >> > > > evenings next week but I'll try to provide some feedback
>> at
>> > > least
>> > > >> >> > > >
>> > > >> >> > > > cheers, Sergey
>> > > >> >> > > >
>> > > >> >> > > >
>> > > >> >> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
>> > > >> >> > > >
>> > > >> >> > > > > Hi Łukasz
>> > > >> >> > > > >
>> > > >> >> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
>> > > >> >> > > > >
>> > > >> >> > > > > Hi Sergey,
>> > > >> >> > > > >
>> > > >> >> > > > >> I'm really sorry for such commit, I know it shouldn't
>> > > happen.
>> > > >> I
>> > > >> >> > turned
>> > > >> >> > > > >> off checkstyle as i couldn't configure it properly on
>> > > intellij
>> > > >> >> and
>> > > >> >> > it
>> > > >> >> > > > >> was annoying during development.
>> > > >> >> > > > >> I will apply proper changes ASAP.
>> > > >> >> > > > >>
>> > > >> >> > > > >> no worries at all, I've broken the real builds with
>> > > checkstyle
>> > > >> >> > errors
>> > > >> >> > > so
>> > > >> >> > > > >
>> > > >> >> > > > > many times and it is the CXF sandbox after :-)
>> > > >> >> > > > >
>> > > >> >> > > > >> According to the demo, I built it as usual web-app, if
>> it
>> > > >> worked,
>> > > >> >> > use
>> > > >> >> > > > >> this same sources to deploy on GAE.
>> > > >> >> > > > >> However because of GAE restrictions it always needs
>> minor
>> > > >> changes
>> > > >> >> > > > >> before deploy, i.e. GAE can't read configuration files
>> > such
>> > > >> as:
>> > > >> >> > > > >> cxf-extension-http.xml
>> > > >> >> > > > >> from jars, so I copied it to WEB-INF folder.
>> > > >> >> > > > >> Commited to svn version does not depend on GAE SDK and
>> can
>> > > be
>> > > >> run
>> > > >> >> > > > >> locally with jetty:run.
>> > > >> >> > > > >>
>> > > >> >> > > > >> Yes, I warned about server configuration part:). I will
>> > take
>> > > >> care
>> > > >> >> to
>> > > >> >> > > > >> make it simpler.
>> > > >> >> > > > >
>> > > >> >> > > > > I do not think it is too complicated - the
>> simplification
>> > can
>> > > >> be
>> > > >> >> done
>> > > >> >> > > > > once the whole flow is sound...
>> > > >> >> > > > >
>> > > >> >> > > > >> So far, oauth consumer properties are hardcoded and
>> > injected
>> > > >> into
>> > > >> >> > > > >> oauth provider, as I think it is not oauth library
>> > > >> responsibility
>> > > >> >> to
>> > > >> >> > > > >> deal with consumer registration.
>> > > >> >> > > > >> Hovewer for demo it would be good to have something
>> like
>> > > that.
>> > > >> I
>> > > >> >> > would
>> > > >> >> > > > >> do registration form at the server as it is done by
>> > current
>> > > >> big
>> > > >> >> > oauth
>> > > >> >> > > > >> implementations.
>> > > >> >> > > > >
>> > > >> >> > > > > I agree that conceptually the registration of consumers
>> is
>> > a
>> > > >> >> separate
>> > > >> >> > > > > issue. But it is part of the solution that users will be
>> > > >> >> eventually
>> > > >> >> > > > > offering so just showing them that the consumers have to
>> go
>> > > and
>> > > >> >> > > register
>> > > >> >> > > > > themselves with help people with coming up with some
>> custom
>> > > >> >> > > registration
>> > > >> >> > > > > forms, etc. The registration does not have to be done at
>> > the
>> > > >> >> server
>> > > >> >> > > > > hosting the resource, it is just important for the OAuth
>> > > >> provider
>> > > >> >> be
>> > > >> >> > > > > able to get to the consumer details. I'm fine with
>> assuming
>> > > at
>> > > >> the
>> > > >> >> > > > > moment that the registration handler is collocated with
>> the
>> > > >> >> > > > > endpoints/providers enforcing OAuth flow.
>> > > >> >> > > > >
>> > > >> >> > > > > But the callback uri which is being injected at the
>> moment
>> > > >> should
>> > > >> >> go
>> > > >> >> > > > > anyway given that it is part of the actual flow,
>> > > specifically,
>> > > >> the
>> > > >> >> > > > > consumer provides it during the request token request
>> > > >> >> > > > >
>> > > >> >> > > > >> Recently I've noticed that Camel have done oauth client
>> as
>> > > >> >> well:):
>> > > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html
>> > > >> >> > > > >>
>> > > >> >> > > > >> Thanks much for review, and hints.
>> > > >> >> > > > >
>> > > >> >> > > > > thanks for your effort :-)
>> > > >> >> > > > >
>> > > >> >> > > > > Sergey
>> > > >> >> > > > >
>> > > >> >> > > > >> Cheers,
>> > > >> >> > > > >> Lukasz
>> > > >> >> > > > >>
>> > > >> >> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
>> > > >> >> > > > >> > Hi Łukasz
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > Sorry for a delay,  I should've come back earlier to
>> > you.
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > I've run the demo hosted at the app engine and I
>> think
>> > > from
>> > > >> the
>> > > >> >> > > > >>
>> > > >> >> > > > >> education
>> > > >> >> > > > >>
>> > > >> >> > > > >> > point of view it is a good demo and it is handy one
>> does
>> > > not
>> > > >> >> even
>> > > >> >> > > has
>> > > >> >> > > > >> > to build anything in order to try it.
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > I've had a problem building the rt/rs/oauth tests -
>> > > there's
>> > > >> a
>> > > >> >> > bunch
>> > > >> >> > > of
>> > > >> >> > > > >> > CheckStyle errors. Can you please build
>> > sandbox/oauth_1.0a
>> > > >> from
>> > > >> >> > the
>> > > >> >> > > > >>
>> > > >> >> > > > >> trunk,
>> > > >> >> > > > >>
>> > > >> >> > > > >> > just do 'mvn install -Pfastinstall' and then do 'mvn
>> > > >> install'
>> > > >> >> from
>> > > >> >> > > > >>
>> > > >> >> > > > >> rt/rs/ ?
>> > > >> >> > > > >>
>> > > >> >> > > > >> > One other thing, please move the demo to
>> > > >> >> > > > >> > "distribution/src/main/release/samples/" as well add
>> > > Readme
>> > > >> to
>> > > >> >> it.
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > Also I can not build the demo too, the client build
>> > fails
>> > > >> with
>> > > >> >> the
>> > > >> >> > > > >>
>> > > >> >> > > > >> following
>> > > >> >> > > > >>
>> > > >> >> > > > >> > dependency missing
>> > > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth pom,
>> > have
>> > > >> you
>> > > >> >> > built
>> > > >> >> > > it
>> > > >> >> > > > >>
>> > > >> >> > > > >> in
>> > > >> >> > > > >>
>> > > >> >> > > > >> > the GAE dev environment ?
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > Can you please spend a bit of time on cleaning the
>> build
>> > a
>> > > >> bit
>> > > >> >> :
>> > > >> >> > > > >> > - fix the checkstyle errors and move the demo to the
>> > > >> >> > > > >> > ""distribution/src/main/release/samples/"" area and
>> also
>> > > add
>> > > >> >> > Readme;
>> > > >> >> > > > >>
>> > > >> >> > > > >> after
>> > > >> >> > > > >>
>> > > >> >> > > > >> > building the distribution (mvn install in
>> > > >> trunk/distribution)
>> > > >> >> you
>> > > >> >> > > can
>> > > >> >> > > > >>
>> > > >> >> > > > >> easily
>> > > >> >> > > > >>
>> > > >> >> > > > >> > verify the demo can be run by locating in the target.
>> > > >> >> > > > >> > - add the oauth dependency in the parent pom so that
>> the
>> > > >> >> rs/oauth
>> > > >> >> > > > >> > module
>> > > >> >> > > > >>
>> > > >> >> > > > >> can
>> > > >> >> > > > >>
>> > > >> >> > > > >> > depend on it without specifying a version and have
>> the
>> > > demo
>> > > >> >> client
>> > > >> >> > > > >>
>> > > >> >> > > > >> module
>> > > >> >> > > > >>
>> > > >> >> > > > >> > depending on rt/rs/oauth module instead (similarly to
>> > the
>> > > >> >> server
>> > > >> >> > > one)
>> > > >> >> > > > >> > - during the main build please use the Spring version
>> > CXF
>> > > >> >> depends
>> > > >> >> > > upon
>> > > >> >> > > > >>
>> > > >> >> > > > >> and
>> > > >> >> > > > >>
>> > > >> >> > > > >> > use its -Pspring3 profile to build for the deployment
>> > into
>> > > >> GAE
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > As far as the demo is concerned. I looked at the
>> server
>> > > part
>> > > >> >> and
>> > > >> >> > it
>> > > >> >> > > > >>
>> > > >> >> > > > >> looks
>> > > >> >> > > > >>
>> > > >> >> > > > >> > complicated enough :-) but I think it makes sense to
>> me.
>> > > >> I'll
>> > > >> >> > likely
>> > > >> >> > > > >> > ask
>> > > >> >> > > > >>
>> > > >> >> > > > >> for
>> > > >> >> > > > >>
>> > > >> >> > > > >> > some modifications but perhaps if you could start
>> with
>> > > >> updating
>> > > >> >> > the
>> > > >> >> > > > >> > demo such that a consumer initiates its own
>> registration
>> > > >> with
>> > > >> >> the
>> > > >> >> > > > >> > OAuth
>> > > >> >> > > > >>
>> > > >> >> > > > >> server :
>> > > >> >> > > > >> > I can see at the moment an oauth provider is injected
>> > with
>> > > >> some
>> > > >> >> > > sample
>> > > >> >> > > > >> > consumer properties. I'm not sure what is the best
>> way
>> > to
>> > > do
>> > > >> it
>> > > >> >> :
>> > > >> >> > > may
>> > > >> >> > > > >> > be
>> > > >> >> > > > >>
>> > > >> >> > > > >> the
>> > > >> >> > > > >>
>> > > >> >> > > > >> > server can return a registration form or the client
>> can
>> > > just
>> > > >> >> push
>> > > >> >> > > the
>> > > >> >> > > > >> > registration info itself.
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > Overall I think it is a good progress indeed
>> especially
>> > > >> given
>> > > >> >> the
>> > > >> >> > > > >>
>> > > >> >> > > > >> complexity
>> > > >> >> > > > >>
>> > > >> >> > > > >> > of the whole effort.
>> > > >> >> > > > >> >
>> > > >> >> > > > >> >
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > thanks, Sergey
>> > > >> >> > > > >> >
>> > > >> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
>> > > >> >> > > [hidden email]
>> > > >> >> > > > >> >
>> > > >> >> > > > >> >wrote:
>> > > >> >> > > > >> >> Hi all,
>> > > >> >> > > > >> >>
>> > > >> >> > > > >> >> I have managed to create two sample OAuth
>> aplications:
>> > > >> >> > > > >> >> ordinary OAuth 1.0a client:
>> > > >> >> http://www.oauthclient.appspot.com
>> > > >> >> > > > >> >> and authorization server that uses CXF OAuth module:
>> > > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com
>> > > >> >> > > > >> >>
>> > > >> >> > > > >> >> Both sample applications and changes in oauth
>> library
>> > are
>> > > >> >> > commited
>> > > >> >> > > in
>> > > >> >> > > > >> >> sandbox.
>> > > >> >> > > > >> >>
>> > > >> >> > > > >> >> OAuth configuration in sample authorization server
>> app
>> > > >> looks a
>> > > >> >> > bit
>> > > >> >> > > > >> >> awfully but I think most of that can be hidden and
>> done
>> > > out
>> > > >> of
>> > > >> >> > > band.
>> > > >> >> > > > >> >> There is still some areas in specification not
>> covered
>> > by
>> > > >> >> > > > >> >> implementation, so I would like to take care of that
>> in
>> > > >> next
>> > > >> >> > steps.
>> > > >> >> > > > >> >>
>> > > >> >> > > > >> >> Thanks in advance for some feedback.
>> > > >> >> > > > >> >>
>> > > >> >> > > > >> >> Cheers,
>> > > >> >> > > > >> >> Lukasz
>> > > >> >> > >
>> > > >> >> > > --
>> > > >> >> > > Daniel Kulp
>> > > >> >> > > [hidden email]
>> > > >> >> > > http://dankulp.com/blog
>> > > >> >> > >
>> > > >> >> >
>> > > >> >>
>> > > >> >
>> > > >> >
>> > > >>
>> > > >
>> > > >
>> > >
>> >
>>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Sergey Beryozkin
Hi Łukasz

2010/8/16 Łukasz Moreń <[hidden email]>

> Hi,
>
> I've made changes in demo according to your comments.
>

thanks.


> I will do 'gsoc' tag on my branch to distinguish current gsoc work from
> future changes, as today is 'firm pencil down' date.
>
> ok.


> I would like to do additional changes in oauth module.
>

nice :-).


> Access token should be connected with some kind of 'scope' that specifies
> a range of  resources it allows to access or operations to invoke.
>
> For example in RestEasy implementation access token is associated with set
> of principal roles.
> If there is valid access token in the request, oauth filter set user roles
> associated with token to ServletRequest and let pass it further.
>
> I'm wondering how it can be done in cxf. I would appreciate some help on
> that.
>
>
Believe it or not but I've changed all that as part of the work I've been
doing recently.
Specifically, I've removed the association of roles & principal with access
tokens.
Instead I've introduced permissions which is really what can be requested by
a consumer and publicly
shown to the end user, example, "Are you ok with letting 3rd party consumer
"doSomething" with your resources" ?. where "doSometing" can be pretty much
any expression like "updateYourAlbom", etc, while roles could be "user",
etc.

It is then a job of filters/login modules/etc to convert permissions into
the actual roles, as well as retrieve an authenticated Principal.

I've also added "scopes" which are URIs, which I 'borrowed' from the Google
docs. Example, a consumer may request a permission to "doSomething" at
http://bar. If authorized it can access http://bar, http://bar/1,
http://bar/2

Does it help ? Any comments ?

cheers, Sergey


Cheers,

> Lukasz
>
> 2010/8/14 Łukasz Moreń <[hidden email]>
>
> > Hi Sergey,
> >
> > Thanks for feedback. More comments below.
> >
> > 2010/8/13 Sergey Beryozkin <[hidden email]>
> >
> >> Hi Lucasz
> >>
> >>
> >> 2010/8/13 Łukasz Moreń <[hidden email]>
> >>
> >> > Hi Sergey,
> >> >
> >> > I've added some improvements to demo and protocol implementation.
> >> > I hope this time build will be fine.
> >> >
> >> >
> >> I've had no problems building this time. Thanks for sorting the build
> >> issues
> >> out.
> >> The only minor hitch is that I had to add
> >> <relativePath>../../pom.xml</relativePath>
> >> to both oauth client & server demo modules in order to build them. Not
> >> sure
> >> if I could've built them by running
> >> 'mvn install' from  samples directly (in
> distribution/target/.../samples)
> >> given that we also have to use -Pspring3. Not a big issue - please
> recheck
> >> just in case...
> >>
> >
> > Yes, I think I need to add relativePath to pom.
> >
> >
> >>
> >> So I've started server and client web apps and run the demo easily. So
> >> it's
> >> all nearly there, and IMHO the project is in a good shape, as far as
> GSOC
> >> is
> >> concerned. Hopefully you can continue on preparing it to the move to the
> >> trunk :-)
> >>
> >> Here're some comments to the existing demo - see if you could do
> anything
> >> till 16th, if not then it can be dealt with later on.
> >>
> >>
> > I will try do to as much as possible till 16-th. There is still plenty to
> > do as I see from your commnets and
> > myself so missing things I will add later.
> >
> >
> >
> >> The client registration form requires a user to register a callback URI.
> >> But
> >> I understand that a callback URI is only provided by a client, when
> >> requesting a temp/request token ? That said, requiring what I'd call a
> >> 'connect' or "reply-to" URI registered during the (secure) client
> >> registration process may help with enforcing that the actual callback
> URI
> >> provided by the client *matches* the one provided at the registration,
> >> using
> >> a startsWith function. I've seen it in the Facebook docs and I also did
> >> something similar in my own project - is this the idea ?
> >>
> > If yes - then please check it's a startsWith check that is used - but
> also
> >
> > consider making providing a callback URI optional at the client
> >> registration
> >
> > time
> >
> >
> > Yes, i used it for that reason. It can be jus passed with request token
> > request. All current OAuth 1.0 servers I've seen need to preregister
> > callback URI,
> > and as you said they check if both uri matches.
> > There is also possibility to pass 'oob' (out of band) value as callback
> URI
> > which means has been established via other means,
> > so then server use preregistered value. However I think this option is
> used
> > in case of native apps.
> >  .
> >
> >> The other thing is that a client key is also generated. This is probably
> >> correct but I'm wondering would it make sense to let the consumer
> register
> >> its own key but the authorization server to only generate the shared
> >> secret.
> >> Consumer might also want to optionally provide its description such as
> >> "OAuth 1.0 client" as in the demo, etc.  This might make it a bit
> simpler
> >> for a client (i.e, it will only have to manage a shared secret).
> >>
> >
> > Yes I think it makes sense. So far consumer key is just hash from
> > application name and user who registers consumer.
> >
> >
> >
> >> In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0 like
> >> thing where HTTPS is assumed ? I'd just consider removing this option
> and
> >> have only hmac-sha1 left.
> >>
> >
> > I think it's something similar, however there is no signatures in OAuth
> 2.0
> > and  access_token is assumed to be short lived,
> > ideally one per request, issuing new tokens is done by refresh_token
> > parameter.
> >
> >
> >> This is probably it so far. I'm not very excited about JSPs being used
> in
> >> the demo :-) but I guess it is not too bad and shows something that many
> >> people would consider doing in practice.
> >>
> >
> > I was not sure about using JSP's neither:), but I wanted to show
> basically
> > how oauth could be added to existing apps
> >  and hadn't other idea how to replace them.
> >
> >
> >>
> >> Overall it is a really good effort toward helping CXF users to
> >> start/experiment with OAuth.
> >>
> >
> >
> > Cheers,
> > Lukasz
> >
> >
> >
> >>
> >> Thanks
> >>
> >> Sergey
> >>
> >>
> >> Cheers,
> >> > Lukasz
> >> >
> >> > 2010/8/13 Sergey Beryozkin <[hidden email]>
> >> >
> >> > > Hi Łukasz
> >> > >
> >> > > I can see the merges flowing :-), I'll be reviewing your work
> tonight;
> >> > >
> >> > > to the list : we've exchanged few private emails to do with build
> >> issues
> >> > I
> >> > > was encountering and Łukasz
> >> > >  addressed them fast; we also agreed that for the initial phase
> making
> >> a
> >> > > demo easy to understand and build upon was the main goal...
> >> > >
> >> > > cheers, Sergey
> >> > >
> >> > > 2010/8/5 Sergey Beryozkin <[hidden email]>
> >> > >
> >> > > > Hi Łukasz
> >> > > >
> >> > > > can you please fix checkstyle errors in the demo...
> >> > > > Re the callback uri : I think one of the providers on the server
> is
> >> > > > configured with the callback URI
> >> > > >
> >> > > > thanks, Sergey
> >> > > >
> >> > > >
> >> > > > 2010/8/2 Łukasz Moreń <[hidden email]>
> >> > > >
> >> > > > >
> >> > > >> > Please update the demo so that the consume
> >> > > >>
> >> > > >> registers itself, plus supplies a callback itself with a request
> >> token
> >> > > >> >  request
> >> > > >>
> >> > > >>
> >> > > >> callback url is passed in this request, however this request is
> >> done
> >> > in
> >> > > >> backend through URLConnection so it's not visible at UI.
> >> > > >>
> >> > > >> Cheers, Lukasz
> >> > > >>
> >> > > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
> >> > > >> [hidden email]
> >> > > >> > napisał:
> >> > > >>
> >> > > >> > Hi,
> >> > > >> > I've committed changes I've made:
> >> > > >> > - added possibility to register new OAuth client applications
> at
> >> > OAuth
> >> > > >> > server
> >> > > >> > - OAuth demos moved to distribution\src\main\samples\
> >> > > >> > - added README to OAuth demos
> >> > > >> > - fixes in pom.xml files
> >> > > >> >
> >> > > >> >  - fix the checkstyle errors and move the demo to the
> >> > > >> >
> >> > > >> > ""distribution/src/main/release/samples/"" area and also add
> >> Readme;
> >> > > >> after
> >> > > >> >
> >> > > >> > building the distribution (mvn install in trunk/distribution)
> you
> >> > can
> >> > > >> >> easily
> >> > > >> >
> >> > > >> > verify the demo can be run by locating in the target.
> >> > > >> >
> >> > > >> >
> >> > > >> > fixed that, and added readme
> >> > > >> >
> >> > > >> >
> >> > > >> >> - add the oauth dependency in the parent pom so that the
> >> rs/oauth
> >> > > >> module
> >> > > >> >> can
> >> > > >> >
> >> > > >> > depend on it without specifying a version and have the demo
> >> client
> >> > > >> module
> >> > > >> >
> >> > > >> > depending on rt/rs/oauth module instead (similarly to the
> server
> >> > one)
> >> > > >> >
> >> > > >> >
> >> > > >> > done, hovewer demo client don't need to depend on rt/rs/oauth
> as
> >> it
> >> > > >> doesn't
> >> > > >> > use cxf functionality, just on oauth libraries
> >> > > >> >
> >> > > >> >
> >> > > >> >> - during the main build please use the Spring version CXF
> >> depends
> >> > > upon
> >> > > >> and
> >> > > >> >
> >> > > >> > use its -Pspring3 profile to build for the deployment into GAE
> >> > > >> >
> >> > > >> >
> >> > > >> > changed, both client and server demos needs to be build with
> >> > -Pspring3
> >> > > >> for
> >> > > >> > local jetty run and GAE as well.
> >> > > >> > Otherwise I would need use different spring config files for
> >> spring
> >> > > 2.5
> >> > > >> and
> >> > > >> > 3.0.x
> >> > > >> >
> >> > > >> > Cheers, Lukasz
> >> > > >> >
> >> > > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
> >> > > >> > [hidden email]> napisał:
> >> > > >> >
> >> > > >> > Hi
> >> > > >> >>
> >> > > >> >> 2010/7/29 Łukasz Moreń <[hidden email]>
> >> > > >> >>
> >> > > >> >> > Hi,
> >> > > >> >> >
> >> > > >> >> > I'm still working on refactoring and changes in demo you
> >> > suggested.
> >> > > >> >> > I will likely update it tomorrow.
> >> > > >> >> >
> >> > > >> >> > I'll likely ask for some modifications but perhaps if you
> >> could
> >> > > start
> >> > > >> >> with
> >> > > >> >> > > updating the demo
> >> > > >> >> >
> >> > > >> >> > such that a consumer initiates its own registration with the
> >> > OAuth
> >> > > >> >> server.
> >> > > >> >> >
> >> > > >> >> >
> >> > > >> >> > I'm going to put high effort on my GSoC project next weeks.
> I
> >> > would
> >> > > >> >> really
> >> > > >> >> > appreciate,
> >> > > >> >> > if you would have some more modifications
> requests/directions
> >> > which
> >> > > >> >> project
> >> > > >> >> > should go, as you have limited time next week
> >> > > >> >> > and current changes will not take long.
> >> > > >> >> >
> >> > > >> >> > From what I'm seeing, I need to cover spec with code,
> simplify
> >> > > >> >> > configuration
> >> > > >> >> > and do more testing.
> >> > > >> >> >
> >> > > >> >> >
> >> > > >> >> I have to sign off now...Please update the demo so that the
> >> > consumer
> >> > > >> >> registers itself, plus supplies a callback itself with a
> request
> >> > > token
> >> > > >> >> request, add README and it would let users start
> experimenting.
> >> > IMHO
> >> > > >> the
> >> > > >> >> initial phase can be considered complete once there's a demo
> >> there
> >> > > >> which
> >> > > >> >> can
> >> > > >> >> show users what they need to do.
> >> > > >> >>
> >> > > >> >> We can then discuss things further
> >> > > >> >>
> >> > > >> >> cheers, Sergey
> >> > > >> >>
> >> > > >> >>
> >> > > >> >>
> >> > > >> >> > Cheers,
> >> > > >> >> > Lukasz
> >> > > >> >> >
> >> > > >> >> > 2010/7/29 Daniel Kulp <[hidden email]>
> >> > > >> >> >
> >> > > >> >> > >
> >> > > >> >> > > You probably just need to change your deps to:
> >> > > >> >> > >
> >> > > >> >> > > geronimo-servlet_3.0_spec
> >> > > >> >> > >
> >> > > >> >> > >
> >> > > >> >> > > Dan
> >> > > >> >> > >
> >> > > >> >> > >
> >> > > >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin
> wrote:
> >> > > >> >> > > > Hi Lucasz
> >> > > >> >> > > >
> >> > > >> >> > > > I can't build the oauth sandbox project, seeing
> >> > > >> >> > > > [ERROR] FATAL ERROR
> >> > > >> >> > > > [INFO]
> >> > > >> >> > > >
> >> > > >> >> >
> >> > > >>
> >> >
> ------------------------------------------------------------------------
> >> > > >> >> > > > [INFO] Error building POM (may not be this project's
> POM).
> >> > > >> >> > > >
> >> > > >> >> > > >
> >> > > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> >> > > >> >> > > > POM Location:
> >> > > >> >> > > >
> >> > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> >> > > >> >> > > > Validation Messages:
> >> > > >> >> > > >
> >> > > >> >> > > >     [0]  'dependencies.dependency.version' is missing
> for
> >> > > >> >> > > > org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> >> > > >> >> > > >
> >> > > >> >> > > >
> >> > > >> >> > > > Reason: Failed to validate POM for project
> >> > > >> >> > org.apache.cxf:cxf-rt-rs-oauth
> >> > > >> >> > > > at
> >> > > >> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> >> > > >> >> > > >
> >> > > >> >> > > > so I can not review the latest merge, sorry. I could've
> >> tried
> >> > > to
> >> > > >> fix
> >> > > >> >> > this
> >> > > >> >> > > > issue but I'm not sure if you're finished with the
> >> > refactoring
> >> > > >> just
> >> > > >> >> > yet.
> >> > > >> >> > > > I'll be travelling tomorrow and I'll have some very
> >> limited
> >> > > time
> >> > > >> >> during
> >> > > >> >> > > the
> >> > > >> >> > > > evenings next week but I'll try to provide some feedback
> >> at
> >> > > least
> >> > > >> >> > > >
> >> > > >> >> > > > cheers, Sergey
> >> > > >> >> > > >
> >> > > >> >> > > >
> >> > > >> >> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
> >> > > >> >> > > >
> >> > > >> >> > > > > Hi Łukasz
> >> > > >> >> > > > >
> >> > > >> >> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
> >> > > >> >> > > > >
> >> > > >> >> > > > > Hi Sergey,
> >> > > >> >> > > > >
> >> > > >> >> > > > >> I'm really sorry for such commit, I know it shouldn't
> >> > > happen.
> >> > > >> I
> >> > > >> >> > turned
> >> > > >> >> > > > >> off checkstyle as i couldn't configure it properly on
> >> > > intellij
> >> > > >> >> and
> >> > > >> >> > it
> >> > > >> >> > > > >> was annoying during development.
> >> > > >> >> > > > >> I will apply proper changes ASAP.
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> no worries at all, I've broken the real builds with
> >> > > checkstyle
> >> > > >> >> > errors
> >> > > >> >> > > so
> >> > > >> >> > > > >
> >> > > >> >> > > > > many times and it is the CXF sandbox after :-)
> >> > > >> >> > > > >
> >> > > >> >> > > > >> According to the demo, I built it as usual web-app,
> if
> >> it
> >> > > >> worked,
> >> > > >> >> > use
> >> > > >> >> > > > >> this same sources to deploy on GAE.
> >> > > >> >> > > > >> However because of GAE restrictions it always needs
> >> minor
> >> > > >> changes
> >> > > >> >> > > > >> before deploy, i.e. GAE can't read configuration
> files
> >> > such
> >> > > >> as:
> >> > > >> >> > > > >> cxf-extension-http.xml
> >> > > >> >> > > > >> from jars, so I copied it to WEB-INF folder.
> >> > > >> >> > > > >> Commited to svn version does not depend on GAE SDK
> and
> >> can
> >> > > be
> >> > > >> run
> >> > > >> >> > > > >> locally with jetty:run.
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> Yes, I warned about server configuration part:). I
> will
> >> > take
> >> > > >> care
> >> > > >> >> to
> >> > > >> >> > > > >> make it simpler.
> >> > > >> >> > > > >
> >> > > >> >> > > > > I do not think it is too complicated - the
> >> simplification
> >> > can
> >> > > >> be
> >> > > >> >> done
> >> > > >> >> > > > > once the whole flow is sound...
> >> > > >> >> > > > >
> >> > > >> >> > > > >> So far, oauth consumer properties are hardcoded and
> >> > injected
> >> > > >> into
> >> > > >> >> > > > >> oauth provider, as I think it is not oauth library
> >> > > >> responsibility
> >> > > >> >> to
> >> > > >> >> > > > >> deal with consumer registration.
> >> > > >> >> > > > >> Hovewer for demo it would be good to have something
> >> like
> >> > > that.
> >> > > >> I
> >> > > >> >> > would
> >> > > >> >> > > > >> do registration form at the server as it is done by
> >> > current
> >> > > >> big
> >> > > >> >> > oauth
> >> > > >> >> > > > >> implementations.
> >> > > >> >> > > > >
> >> > > >> >> > > > > I agree that conceptually the registration of
> consumers
> >> is
> >> > a
> >> > > >> >> separate
> >> > > >> >> > > > > issue. But it is part of the solution that users will
> be
> >> > > >> >> eventually
> >> > > >> >> > > > > offering so just showing them that the consumers have
> to
> >> go
> >> > > and
> >> > > >> >> > > register
> >> > > >> >> > > > > themselves with help people with coming up with some
> >> custom
> >> > > >> >> > > registration
> >> > > >> >> > > > > forms, etc. The registration does not have to be done
> at
> >> > the
> >> > > >> >> server
> >> > > >> >> > > > > hosting the resource, it is just important for the
> OAuth
> >> > > >> provider
> >> > > >> >> be
> >> > > >> >> > > > > able to get to the consumer details. I'm fine with
> >> assuming
> >> > > at
> >> > > >> the
> >> > > >> >> > > > > moment that the registration handler is collocated
> with
> >> the
> >> > > >> >> > > > > endpoints/providers enforcing OAuth flow.
> >> > > >> >> > > > >
> >> > > >> >> > > > > But the callback uri which is being injected at the
> >> moment
> >> > > >> should
> >> > > >> >> go
> >> > > >> >> > > > > anyway given that it is part of the actual flow,
> >> > > specifically,
> >> > > >> the
> >> > > >> >> > > > > consumer provides it during the request token request
> >> > > >> >> > > > >
> >> > > >> >> > > > >> Recently I've noticed that Camel have done oauth
> client
> >> as
> >> > > >> >> well:):
> >> > > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> Thanks much for review, and hints.
> >> > > >> >> > > > >
> >> > > >> >> > > > > thanks for your effort :-)
> >> > > >> >> > > > >
> >> > > >> >> > > > > Sergey
> >> > > >> >> > > > >
> >> > > >> >> > > > >> Cheers,
> >> > > >> >> > > > >> Lukasz
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> >> > > >> >> > > > >> > Hi Łukasz
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > Sorry for a delay,  I should've come back earlier
> to
> >> > you.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > I've run the demo hosted at the app engine and I
> >> think
> >> > > from
> >> > > >> the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> education
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > point of view it is a good demo and it is handy one
> >> does
> >> > > not
> >> > > >> >> even
> >> > > >> >> > > has
> >> > > >> >> > > > >> > to build anything in order to try it.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > I've had a problem building the rt/rs/oauth tests -
> >> > > there's
> >> > > >> a
> >> > > >> >> > bunch
> >> > > >> >> > > of
> >> > > >> >> > > > >> > CheckStyle errors. Can you please build
> >> > sandbox/oauth_1.0a
> >> > > >> from
> >> > > >> >> > the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> trunk,
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > just do 'mvn install -Pfastinstall' and then do
> 'mvn
> >> > > >> install'
> >> > > >> >> from
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> rt/rs/ ?
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > One other thing, please move the demo to
> >> > > >> >> > > > >> > "distribution/src/main/release/samples/" as well
> add
> >> > > Readme
> >> > > >> to
> >> > > >> >> it.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > Also I can not build the demo too, the client build
> >> > fails
> >> > > >> with
> >> > > >> >> the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> following
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > dependency missing
> >> > > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth
> pom,
> >> > have
> >> > > >> you
> >> > > >> >> > built
> >> > > >> >> > > it
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> in
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > the GAE dev environment ?
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > Can you please spend a bit of time on cleaning the
> >> build
> >> > a
> >> > > >> bit
> >> > > >> >> :
> >> > > >> >> > > > >> > - fix the checkstyle errors and move the demo to
> the
> >> > > >> >> > > > >> > ""distribution/src/main/release/samples/"" area and
> >> also
> >> > > add
> >> > > >> >> > Readme;
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> after
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > building the distribution (mvn install in
> >> > > >> trunk/distribution)
> >> > > >> >> you
> >> > > >> >> > > can
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> easily
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > verify the demo can be run by locating in the
> target.
> >> > > >> >> > > > >> > - add the oauth dependency in the parent pom so
> that
> >> the
> >> > > >> >> rs/oauth
> >> > > >> >> > > > >> > module
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> can
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > depend on it without specifying a version and have
> >> the
> >> > > demo
> >> > > >> >> client
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> module
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > depending on rt/rs/oauth module instead (similarly
> to
> >> > the
> >> > > >> >> server
> >> > > >> >> > > one)
> >> > > >> >> > > > >> > - during the main build please use the Spring
> version
> >> > CXF
> >> > > >> >> depends
> >> > > >> >> > > upon
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> and
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > use its -Pspring3 profile to build for the
> deployment
> >> > into
> >> > > >> GAE
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > As far as the demo is concerned. I looked at the
> >> server
> >> > > part
> >> > > >> >> and
> >> > > >> >> > it
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> looks
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > complicated enough :-) but I think it makes sense
> to
> >> me.
> >> > > >> I'll
> >> > > >> >> > likely
> >> > > >> >> > > > >> > ask
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> for
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > some modifications but perhaps if you could start
> >> with
> >> > > >> updating
> >> > > >> >> > the
> >> > > >> >> > > > >> > demo such that a consumer initiates its own
> >> registration
> >> > > >> with
> >> > > >> >> the
> >> > > >> >> > > > >> > OAuth
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> server :
> >> > > >> >> > > > >> > I can see at the moment an oauth provider is
> injected
> >> > with
> >> > > >> some
> >> > > >> >> > > sample
> >> > > >> >> > > > >> > consumer properties. I'm not sure what is the best
> >> way
> >> > to
> >> > > do
> >> > > >> it
> >> > > >> >> :
> >> > > >> >> > > may
> >> > > >> >> > > > >> > be
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > server can return a registration form or the client
> >> can
> >> > > just
> >> > > >> >> push
> >> > > >> >> > > the
> >> > > >> >> > > > >> > registration info itself.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > Overall I think it is a good progress indeed
> >> especially
> >> > > >> given
> >> > > >> >> the
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> complexity
> >> > > >> >> > > > >>
> >> > > >> >> > > > >> > of the whole effort.
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > thanks, Sergey
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
> >> > > >> >> > > [hidden email]
> >> > > >> >> > > > >> >
> >> > > >> >> > > > >> >wrote:
> >> > > >> >> > > > >> >> Hi all,
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> I have managed to create two sample OAuth
> >> aplications:
> >> > > >> >> > > > >> >> ordinary OAuth 1.0a client:
> >> > > >> >> http://www.oauthclient.appspot.com
> >> > > >> >> > > > >> >> and authorization server that uses CXF OAuth
> module:
> >> > > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> Both sample applications and changes in oauth
> >> library
> >> > are
> >> > > >> >> > commited
> >> > > >> >> > > in
> >> > > >> >> > > > >> >> sandbox.
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> OAuth configuration in sample authorization server
> >> app
> >> > > >> looks a
> >> > > >> >> > bit
> >> > > >> >> > > > >> >> awfully but I think most of that can be hidden and
> >> done
> >> > > out
> >> > > >> of
> >> > > >> >> > > band.
> >> > > >> >> > > > >> >> There is still some areas in specification not
> >> covered
> >> > by
> >> > > >> >> > > > >> >> implementation, so I would like to take care of
> that
> >> in
> >> > > >> next
> >> > > >> >> > steps.
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> Thanks in advance for some feedback.
> >> > > >> >> > > > >> >>
> >> > > >> >> > > > >> >> Cheers,
> >> > > >> >> > > > >> >> Lukasz
> >> > > >> >> > >
> >> > > >> >> > > --
> >> > > >> >> > > Daniel Kulp
> >> > > >> >> > > [hidden email]
> >> > > >> >> > > http://dankulp.com/blog
> >> > > >> >> > >
> >> > > >> >> >
> >> > > >> >>
> >> > > >> >
> >> > > >> >
> >> > > >>
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> >
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Łukasz Moreń
Yes, it helps.
For me it looks good to associate permissions and scope with access token.
I think I will do something similar in cxf.

Btw, I've updated resteasy recently and saw changes in oauth module.:)

Cheers,
Lukasz

2010/8/18 Sergey Beryozkin <[hidden email]>

> Hi Łukasz
>
> 2010/8/16 Łukasz Moreń <[hidden email]>
>
> > Hi,
> >
> > I've made changes in demo according to your comments.
> >
>
> thanks.
>
>
> > I will do 'gsoc' tag on my branch to distinguish current gsoc work from
> > future changes, as today is 'firm pencil down' date.
> >
> > ok.
>
>
> > I would like to do additional changes in oauth module.
> >
>
> nice :-).
>
>
> > Access token should be connected with some kind of 'scope' that specifies
> > a range of  resources it allows to access or operations to invoke.
> >
> > For example in RestEasy implementation access token is associated with
> set
> > of principal roles.
> > If there is valid access token in the request, oauth filter set user
> roles
> > associated with token to ServletRequest and let pass it further.
> >
> > I'm wondering how it can be done in cxf. I would appreciate some help on
> > that.
> >
> >
> Believe it or not but I've changed all that as part of the work I've been
> doing recently.
> Specifically, I've removed the association of roles & principal with access
> tokens.
> Instead I've introduced permissions which is really what can be requested
> by
> a consumer and publicly
> shown to the end user, example, "Are you ok with letting 3rd party consumer
> "doSomething" with your resources" ?. where "doSometing" can be pretty much
> any expression like "updateYourAlbom", etc, while roles could be "user",
> etc.
>
> It is then a job of filters/login modules/etc to convert permissions into
> the actual roles, as well as retrieve an authenticated Principal.
>
> I've also added "scopes" which are URIs, which I 'borrowed' from the Google
> docs. Example, a consumer may request a permission to "doSomething" at
> http://bar. If authorized it can access http://bar, http://bar/1,
> http://bar/2
>
> Does it help ? Any comments ?
>
> cheers, Sergey
>
>
> Cheers,
> > Lukasz
> >
> > 2010/8/14 Łukasz Moreń <[hidden email]>
> >
> > > Hi Sergey,
> > >
> > > Thanks for feedback. More comments below.
> > >
> > > 2010/8/13 Sergey Beryozkin <[hidden email]>
> > >
> > >> Hi Lucasz
> > >>
> > >>
> > >> 2010/8/13 Łukasz Moreń <[hidden email]>
> > >>
> > >> > Hi Sergey,
> > >> >
> > >> > I've added some improvements to demo and protocol implementation.
> > >> > I hope this time build will be fine.
> > >> >
> > >> >
> > >> I've had no problems building this time. Thanks for sorting the build
> > >> issues
> > >> out.
> > >> The only minor hitch is that I had to add
> > >> <relativePath>../../pom.xml</relativePath>
> > >> to both oauth client & server demo modules in order to build them. Not
> > >> sure
> > >> if I could've built them by running
> > >> 'mvn install' from  samples directly (in
> > distribution/target/.../samples)
> > >> given that we also have to use -Pspring3. Not a big issue - please
> > recheck
> > >> just in case...
> > >>
> > >
> > > Yes, I think I need to add relativePath to pom.
> > >
> > >
> > >>
> > >> So I've started server and client web apps and run the demo easily. So
> > >> it's
> > >> all nearly there, and IMHO the project is in a good shape, as far as
> > GSOC
> > >> is
> > >> concerned. Hopefully you can continue on preparing it to the move to
> the
> > >> trunk :-)
> > >>
> > >> Here're some comments to the existing demo - see if you could do
> > anything
> > >> till 16th, if not then it can be dealt with later on.
> > >>
> > >>
> > > I will try do to as much as possible till 16-th. There is still plenty
> to
> > > do as I see from your commnets and
> > > myself so missing things I will add later.
> > >
> > >
> > >
> > >> The client registration form requires a user to register a callback
> URI.
> > >> But
> > >> I understand that a callback URI is only provided by a client, when
> > >> requesting a temp/request token ? That said, requiring what I'd call a
> > >> 'connect' or "reply-to" URI registered during the (secure) client
> > >> registration process may help with enforcing that the actual callback
> > URI
> > >> provided by the client *matches* the one provided at the registration,
> > >> using
> > >> a startsWith function. I've seen it in the Facebook docs and I also
> did
> > >> something similar in my own project - is this the idea ?
> > >>
> > > If yes - then please check it's a startsWith check that is used - but
> > also
> > >
> > > consider making providing a callback URI optional at the client
> > >> registration
> > >
> > > time
> > >
> > >
> > > Yes, i used it for that reason. It can be jus passed with request token
> > > request. All current OAuth 1.0 servers I've seen need to preregister
> > > callback URI,
> > > and as you said they check if both uri matches.
> > > There is also possibility to pass 'oob' (out of band) value as callback
> > URI
> > > which means has been established via other means,
> > > so then server use preregistered value. However I think this option is
> > used
> > > in case of native apps.
> > >  .
> > >
> > >> The other thing is that a client key is also generated. This is
> probably
> > >> correct but I'm wondering would it make sense to let the consumer
> > register
> > >> its own key but the authorization server to only generate the shared
> > >> secret.
> > >> Consumer might also want to optionally provide its description such as
> > >> "OAuth 1.0 client" as in the demo, etc.  This might make it a bit
> > simpler
> > >> for a client (i.e, it will only have to manage a shared secret).
> > >>
> > >
> > > Yes I think it makes sense. So far consumer key is just hash from
> > > application name and user who registers consumer.
> > >
> > >
> > >
> > >> In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0
> like
> > >> thing where HTTPS is assumed ? I'd just consider removing this option
> > and
> > >> have only hmac-sha1 left.
> > >>
> > >
> > > I think it's something similar, however there is no signatures in OAuth
> > 2.0
> > > and  access_token is assumed to be short lived,
> > > ideally one per request, issuing new tokens is done by refresh_token
> > > parameter.
> > >
> > >
> > >> This is probably it so far. I'm not very excited about JSPs being used
> > in
> > >> the demo :-) but I guess it is not too bad and shows something that
> many
> > >> people would consider doing in practice.
> > >>
> > >
> > > I was not sure about using JSP's neither:), but I wanted to show
> > basically
> > > how oauth could be added to existing apps
> > >  and hadn't other idea how to replace them.
> > >
> > >
> > >>
> > >> Overall it is a really good effort toward helping CXF users to
> > >> start/experiment with OAuth.
> > >>
> > >
> > >
> > > Cheers,
> > > Lukasz
> > >
> > >
> > >
> > >>
> > >> Thanks
> > >>
> > >> Sergey
> > >>
> > >>
> > >> Cheers,
> > >> > Lukasz
> > >> >
> > >> > 2010/8/13 Sergey Beryozkin <[hidden email]>
> > >> >
> > >> > > Hi Łukasz
> > >> > >
> > >> > > I can see the merges flowing :-), I'll be reviewing your work
> > tonight;
> > >> > >
> > >> > > to the list : we've exchanged few private emails to do with build
> > >> issues
> > >> > I
> > >> > > was encountering and Łukasz
> > >> > >  addressed them fast; we also agreed that for the initial phase
> > making
> > >> a
> > >> > > demo easy to understand and build upon was the main goal...
> > >> > >
> > >> > > cheers, Sergey
> > >> > >
> > >> > > 2010/8/5 Sergey Beryozkin <[hidden email]>
> > >> > >
> > >> > > > Hi Łukasz
> > >> > > >
> > >> > > > can you please fix checkstyle errors in the demo...
> > >> > > > Re the callback uri : I think one of the providers on the server
> > is
> > >> > > > configured with the callback URI
> > >> > > >
> > >> > > > thanks, Sergey
> > >> > > >
> > >> > > >
> > >> > > > 2010/8/2 Łukasz Moreń <[hidden email]>
> > >> > > >
> > >> > > > >
> > >> > > >> > Please update the demo so that the consume
> > >> > > >>
> > >> > > >> registers itself, plus supplies a callback itself with a
> request
> > >> token
> > >> > > >> >  request
> > >> > > >>
> > >> > > >>
> > >> > > >> callback url is passed in this request, however this request is
> > >> done
> > >> > in
> > >> > > >> backend through URLConnection so it's not visible at UI.
> > >> > > >>
> > >> > > >> Cheers, Lukasz
> > >> > > >>
> > >> > > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
> > >> > > >> [hidden email]
> > >> > > >> > napisał:
> > >> > > >>
> > >> > > >> > Hi,
> > >> > > >> > I've committed changes I've made:
> > >> > > >> > - added possibility to register new OAuth client applications
> > at
> > >> > OAuth
> > >> > > >> > server
> > >> > > >> > - OAuth demos moved to distribution\src\main\samples\
> > >> > > >> > - added README to OAuth demos
> > >> > > >> > - fixes in pom.xml files
> > >> > > >> >
> > >> > > >> >  - fix the checkstyle errors and move the demo to the
> > >> > > >> >
> > >> > > >> > ""distribution/src/main/release/samples/"" area and also add
> > >> Readme;
> > >> > > >> after
> > >> > > >> >
> > >> > > >> > building the distribution (mvn install in trunk/distribution)
> > you
> > >> > can
> > >> > > >> >> easily
> > >> > > >> >
> > >> > > >> > verify the demo can be run by locating in the target.
> > >> > > >> >
> > >> > > >> >
> > >> > > >> > fixed that, and added readme
> > >> > > >> >
> > >> > > >> >
> > >> > > >> >> - add the oauth dependency in the parent pom so that the
> > >> rs/oauth
> > >> > > >> module
> > >> > > >> >> can
> > >> > > >> >
> > >> > > >> > depend on it without specifying a version and have the demo
> > >> client
> > >> > > >> module
> > >> > > >> >
> > >> > > >> > depending on rt/rs/oauth module instead (similarly to the
> > server
> > >> > one)
> > >> > > >> >
> > >> > > >> >
> > >> > > >> > done, hovewer demo client don't need to depend on rt/rs/oauth
> > as
> > >> it
> > >> > > >> doesn't
> > >> > > >> > use cxf functionality, just on oauth libraries
> > >> > > >> >
> > >> > > >> >
> > >> > > >> >> - during the main build please use the Spring version CXF
> > >> depends
> > >> > > upon
> > >> > > >> and
> > >> > > >> >
> > >> > > >> > use its -Pspring3 profile to build for the deployment into
> GAE
> > >> > > >> >
> > >> > > >> >
> > >> > > >> > changed, both client and server demos needs to be build with
> > >> > -Pspring3
> > >> > > >> for
> > >> > > >> > local jetty run and GAE as well.
> > >> > > >> > Otherwise I would need use different spring config files for
> > >> spring
> > >> > > 2.5
> > >> > > >> and
> > >> > > >> > 3.0.x
> > >> > > >> >
> > >> > > >> > Cheers, Lukasz
> > >> > > >> >
> > >> > > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
> > >> > > >> > [hidden email]> napisał:
> > >> > > >> >
> > >> > > >> > Hi
> > >> > > >> >>
> > >> > > >> >> 2010/7/29 Łukasz Moreń <[hidden email]>
> > >> > > >> >>
> > >> > > >> >> > Hi,
> > >> > > >> >> >
> > >> > > >> >> > I'm still working on refactoring and changes in demo you
> > >> > suggested.
> > >> > > >> >> > I will likely update it tomorrow.
> > >> > > >> >> >
> > >> > > >> >> > I'll likely ask for some modifications but perhaps if you
> > >> could
> > >> > > start
> > >> > > >> >> with
> > >> > > >> >> > > updating the demo
> > >> > > >> >> >
> > >> > > >> >> > such that a consumer initiates its own registration with
> the
> > >> > OAuth
> > >> > > >> >> server.
> > >> > > >> >> >
> > >> > > >> >> >
> > >> > > >> >> > I'm going to put high effort on my GSoC project next
> weeks.
> > I
> > >> > would
> > >> > > >> >> really
> > >> > > >> >> > appreciate,
> > >> > > >> >> > if you would have some more modifications
> > requests/directions
> > >> > which
> > >> > > >> >> project
> > >> > > >> >> > should go, as you have limited time next week
> > >> > > >> >> > and current changes will not take long.
> > >> > > >> >> >
> > >> > > >> >> > From what I'm seeing, I need to cover spec with code,
> > simplify
> > >> > > >> >> > configuration
> > >> > > >> >> > and do more testing.
> > >> > > >> >> >
> > >> > > >> >> >
> > >> > > >> >> I have to sign off now...Please update the demo so that the
> > >> > consumer
> > >> > > >> >> registers itself, plus supplies a callback itself with a
> > request
> > >> > > token
> > >> > > >> >> request, add README and it would let users start
> > experimenting.
> > >> > IMHO
> > >> > > >> the
> > >> > > >> >> initial phase can be considered complete once there's a demo
> > >> there
> > >> > > >> which
> > >> > > >> >> can
> > >> > > >> >> show users what they need to do.
> > >> > > >> >>
> > >> > > >> >> We can then discuss things further
> > >> > > >> >>
> > >> > > >> >> cheers, Sergey
> > >> > > >> >>
> > >> > > >> >>
> > >> > > >> >>
> > >> > > >> >> > Cheers,
> > >> > > >> >> > Lukasz
> > >> > > >> >> >
> > >> > > >> >> > 2010/7/29 Daniel Kulp <[hidden email]>
> > >> > > >> >> >
> > >> > > >> >> > >
> > >> > > >> >> > > You probably just need to change your deps to:
> > >> > > >> >> > >
> > >> > > >> >> > > geronimo-servlet_3.0_spec
> > >> > > >> >> > >
> > >> > > >> >> > >
> > >> > > >> >> > > Dan
> > >> > > >> >> > >
> > >> > > >> >> > >
> > >> > > >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin
> > wrote:
> > >> > > >> >> > > > Hi Lucasz
> > >> > > >> >> > > >
> > >> > > >> >> > > > I can't build the oauth sandbox project, seeing
> > >> > > >> >> > > > [ERROR] FATAL ERROR
> > >> > > >> >> > > > [INFO]
> > >> > > >> >> > > >
> > >> > > >> >> >
> > >> > > >>
> > >> >
> > ------------------------------------------------------------------------
> > >> > > >> >> > > > [INFO] Error building POM (may not be this project's
> > POM).
> > >> > > >> >> > > >
> > >> > > >> >> > > >
> > >> > > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> > >> > > >> >> > > > POM Location:
> > >> > > >> >> > > >
> > >> > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > >> > > >> >> > > > Validation Messages:
> > >> > > >> >> > > >
> > >> > > >> >> > > >     [0]  'dependencies.dependency.version' is missing
> > for
> > >> > > >> >> > > >
> org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> > >> > > >> >> > > >
> > >> > > >> >> > > >
> > >> > > >> >> > > > Reason: Failed to validate POM for project
> > >> > > >> >> > org.apache.cxf:cxf-rt-rs-oauth
> > >> > > >> >> > > > at
> > >> > > >>
> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > >> > > >> >> > > >
> > >> > > >> >> > > > so I can not review the latest merge, sorry. I
> could've
> > >> tried
> > >> > > to
> > >> > > >> fix
> > >> > > >> >> > this
> > >> > > >> >> > > > issue but I'm not sure if you're finished with the
> > >> > refactoring
> > >> > > >> just
> > >> > > >> >> > yet.
> > >> > > >> >> > > > I'll be travelling tomorrow and I'll have some very
> > >> limited
> > >> > > time
> > >> > > >> >> during
> > >> > > >> >> > > the
> > >> > > >> >> > > > evenings next week but I'll try to provide some
> feedback
> > >> at
> > >> > > least
> > >> > > >> >> > > >
> > >> > > >> >> > > > cheers, Sergey
> > >> > > >> >> > > >
> > >> > > >> >> > > >
> > >> > > >> >> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
> > >> > > >> >> > > >
> > >> > > >> >> > > > > Hi Łukasz
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > Hi Sergey,
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> I'm really sorry for such commit, I know it
> shouldn't
> > >> > > happen.
> > >> > > >> I
> > >> > > >> >> > turned
> > >> > > >> >> > > > >> off checkstyle as i couldn't configure it properly
> on
> > >> > > intellij
> > >> > > >> >> and
> > >> > > >> >> > it
> > >> > > >> >> > > > >> was annoying during development.
> > >> > > >> >> > > > >> I will apply proper changes ASAP.
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> no worries at all, I've broken the real builds with
> > >> > > checkstyle
> > >> > > >> >> > errors
> > >> > > >> >> > > so
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > many times and it is the CXF sandbox after :-)
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> According to the demo, I built it as usual web-app,
> > if
> > >> it
> > >> > > >> worked,
> > >> > > >> >> > use
> > >> > > >> >> > > > >> this same sources to deploy on GAE.
> > >> > > >> >> > > > >> However because of GAE restrictions it always needs
> > >> minor
> > >> > > >> changes
> > >> > > >> >> > > > >> before deploy, i.e. GAE can't read configuration
> > files
> > >> > such
> > >> > > >> as:
> > >> > > >> >> > > > >> cxf-extension-http.xml
> > >> > > >> >> > > > >> from jars, so I copied it to WEB-INF folder.
> > >> > > >> >> > > > >> Commited to svn version does not depend on GAE SDK
> > and
> > >> can
> > >> > > be
> > >> > > >> run
> > >> > > >> >> > > > >> locally with jetty:run.
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> Yes, I warned about server configuration part:). I
> > will
> > >> > take
> > >> > > >> care
> > >> > > >> >> to
> > >> > > >> >> > > > >> make it simpler.
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > I do not think it is too complicated - the
> > >> simplification
> > >> > can
> > >> > > >> be
> > >> > > >> >> done
> > >> > > >> >> > > > > once the whole flow is sound...
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> So far, oauth consumer properties are hardcoded and
> > >> > injected
> > >> > > >> into
> > >> > > >> >> > > > >> oauth provider, as I think it is not oauth library
> > >> > > >> responsibility
> > >> > > >> >> to
> > >> > > >> >> > > > >> deal with consumer registration.
> > >> > > >> >> > > > >> Hovewer for demo it would be good to have something
> > >> like
> > >> > > that.
> > >> > > >> I
> > >> > > >> >> > would
> > >> > > >> >> > > > >> do registration form at the server as it is done by
> > >> > current
> > >> > > >> big
> > >> > > >> >> > oauth
> > >> > > >> >> > > > >> implementations.
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > I agree that conceptually the registration of
> > consumers
> > >> is
> > >> > a
> > >> > > >> >> separate
> > >> > > >> >> > > > > issue. But it is part of the solution that users
> will
> > be
> > >> > > >> >> eventually
> > >> > > >> >> > > > > offering so just showing them that the consumers
> have
> > to
> > >> go
> > >> > > and
> > >> > > >> >> > > register
> > >> > > >> >> > > > > themselves with help people with coming up with some
> > >> custom
> > >> > > >> >> > > registration
> > >> > > >> >> > > > > forms, etc. The registration does not have to be
> done
> > at
> > >> > the
> > >> > > >> >> server
> > >> > > >> >> > > > > hosting the resource, it is just important for the
> > OAuth
> > >> > > >> provider
> > >> > > >> >> be
> > >> > > >> >> > > > > able to get to the consumer details. I'm fine with
> > >> assuming
> > >> > > at
> > >> > > >> the
> > >> > > >> >> > > > > moment that the registration handler is collocated
> > with
> > >> the
> > >> > > >> >> > > > > endpoints/providers enforcing OAuth flow.
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > But the callback uri which is being injected at the
> > >> moment
> > >> > > >> should
> > >> > > >> >> go
> > >> > > >> >> > > > > anyway given that it is part of the actual flow,
> > >> > > specifically,
> > >> > > >> the
> > >> > > >> >> > > > > consumer provides it during the request token
> request
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> Recently I've noticed that Camel have done oauth
> > client
> > >> as
> > >> > > >> >> well:):
> > >> > > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> Thanks much for review, and hints.
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > thanks for your effort :-)
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > Sergey
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> Cheers,
> > >> > > >> >> > > > >> Lukasz
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]>:
> > >> > > >> >> > > > >> > Hi Łukasz
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > Sorry for a delay,  I should've come back earlier
> > to
> > >> > you.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > I've run the demo hosted at the app engine and I
> > >> think
> > >> > > from
> > >> > > >> the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> education
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > point of view it is a good demo and it is handy
> one
> > >> does
> > >> > > not
> > >> > > >> >> even
> > >> > > >> >> > > has
> > >> > > >> >> > > > >> > to build anything in order to try it.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > I've had a problem building the rt/rs/oauth tests
> -
> > >> > > there's
> > >> > > >> a
> > >> > > >> >> > bunch
> > >> > > >> >> > > of
> > >> > > >> >> > > > >> > CheckStyle errors. Can you please build
> > >> > sandbox/oauth_1.0a
> > >> > > >> from
> > >> > > >> >> > the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> trunk,
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > just do 'mvn install -Pfastinstall' and then do
> > 'mvn
> > >> > > >> install'
> > >> > > >> >> from
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> rt/rs/ ?
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > One other thing, please move the demo to
> > >> > > >> >> > > > >> > "distribution/src/main/release/samples/" as well
> > add
> > >> > > Readme
> > >> > > >> to
> > >> > > >> >> it.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > Also I can not build the demo too, the client
> build
> > >> > fails
> > >> > > >> with
> > >> > > >> >> the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> following
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > dependency missing
> > >> > > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth
> > pom,
> > >> > have
> > >> > > >> you
> > >> > > >> >> > built
> > >> > > >> >> > > it
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> in
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > the GAE dev environment ?
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > Can you please spend a bit of time on cleaning
> the
> > >> build
> > >> > a
> > >> > > >> bit
> > >> > > >> >> :
> > >> > > >> >> > > > >> > - fix the checkstyle errors and move the demo to
> > the
> > >> > > >> >> > > > >> > ""distribution/src/main/release/samples/"" area
> and
> > >> also
> > >> > > add
> > >> > > >> >> > Readme;
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> after
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > building the distribution (mvn install in
> > >> > > >> trunk/distribution)
> > >> > > >> >> you
> > >> > > >> >> > > can
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> easily
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > verify the demo can be run by locating in the
> > target.
> > >> > > >> >> > > > >> > - add the oauth dependency in the parent pom so
> > that
> > >> the
> > >> > > >> >> rs/oauth
> > >> > > >> >> > > > >> > module
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> can
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > depend on it without specifying a version and
> have
> > >> the
> > >> > > demo
> > >> > > >> >> client
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> module
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > depending on rt/rs/oauth module instead
> (similarly
> > to
> > >> > the
> > >> > > >> >> server
> > >> > > >> >> > > one)
> > >> > > >> >> > > > >> > - during the main build please use the Spring
> > version
> > >> > CXF
> > >> > > >> >> depends
> > >> > > >> >> > > upon
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> and
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > use its -Pspring3 profile to build for the
> > deployment
> > >> > into
> > >> > > >> GAE
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > As far as the demo is concerned. I looked at the
> > >> server
> > >> > > part
> > >> > > >> >> and
> > >> > > >> >> > it
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> looks
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > complicated enough :-) but I think it makes sense
> > to
> > >> me.
> > >> > > >> I'll
> > >> > > >> >> > likely
> > >> > > >> >> > > > >> > ask
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> for
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > some modifications but perhaps if you could start
> > >> with
> > >> > > >> updating
> > >> > > >> >> > the
> > >> > > >> >> > > > >> > demo such that a consumer initiates its own
> > >> registration
> > >> > > >> with
> > >> > > >> >> the
> > >> > > >> >> > > > >> > OAuth
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> server :
> > >> > > >> >> > > > >> > I can see at the moment an oauth provider is
> > injected
> > >> > with
> > >> > > >> some
> > >> > > >> >> > > sample
> > >> > > >> >> > > > >> > consumer properties. I'm not sure what is the
> best
> > >> way
> > >> > to
> > >> > > do
> > >> > > >> it
> > >> > > >> >> :
> > >> > > >> >> > > may
> > >> > > >> >> > > > >> > be
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > server can return a registration form or the
> client
> > >> can
> > >> > > just
> > >> > > >> >> push
> > >> > > >> >> > > the
> > >> > > >> >> > > > >> > registration info itself.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > Overall I think it is a good progress indeed
> > >> especially
> > >> > > >> given
> > >> > > >> >> the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> complexity
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > of the whole effort.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > thanks, Sergey
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
> > >> > > >> >> > > [hidden email]
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> >wrote:
> > >> > > >> >> > > > >> >> Hi all,
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> I have managed to create two sample OAuth
> > >> aplications:
> > >> > > >> >> > > > >> >> ordinary OAuth 1.0a client:
> > >> > > >> >> http://www.oauthclient.appspot.com
> > >> > > >> >> > > > >> >> and authorization server that uses CXF OAuth
> > module:
> > >> > > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> Both sample applications and changes in oauth
> > >> library
> > >> > are
> > >> > > >> >> > commited
> > >> > > >> >> > > in
> > >> > > >> >> > > > >> >> sandbox.
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> OAuth configuration in sample authorization
> server
> > >> app
> > >> > > >> looks a
> > >> > > >> >> > bit
> > >> > > >> >> > > > >> >> awfully but I think most of that can be hidden
> and
> > >> done
> > >> > > out
> > >> > > >> of
> > >> > > >> >> > > band.
> > >> > > >> >> > > > >> >> There is still some areas in specification not
> > >> covered
> > >> > by
> > >> > > >> >> > > > >> >> implementation, so I would like to take care of
> > that
> > >> in
> > >> > > >> next
> > >> > > >> >> > steps.
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> Thanks in advance for some feedback.
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> Cheers,
> > >> > > >> >> > > > >> >> Lukasz
> > >> > > >> >> > >
> > >> > > >> >> > > --
> > >> > > >> >> > > Daniel Kulp
> > >> > > >> >> > > [hidden email]
> > >> > > >> >> > > http://dankulp.com/blog
> > >> > > >> >> > >
> > >> > > >> >> >
> > >> > > >> >>
> > >> > > >> >
> > >> > > >> >
> > >> > > >>
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OAuth client and server demos

Łukasz Moreń
I've commited some time ago basic scopes handling. More info about that:

Client request access token for a set of scopes, similarly like in oauth
2.0. OAuth 1.0 was missing that so I asses 'x_scope' parameter.
These scopes are presented to the user with friendly description, so he
knows what access allows on. Every scope has assigned java role.
An OAuth filter find associated roles with provided access token, put them
into request and let go request further. It's a authorization framework job
to deal with authorization.
It allows on integration with security annotations like @RolesAllowed, or
spring's @Secured, but I need to work more on that.

Cheers,
Lukasz

2010/8/19 Łukasz Moreń <[hidden email]>

> Yes, it helps.
> For me it looks good to associate permissions and scope with access token.
> I think I will do something similar in cxf.
>
> Btw, I've updated resteasy recently and saw changes in oauth module.:)
>
> Cheers,
> Lukasz
>
> 2010/8/18 Sergey Beryozkin <[hidden email]>
>
> Hi Łukasz
>>
>> 2010/8/16 Łukasz Moreń <[hidden email]>
>>
>> > Hi,
>> >
>> > I've made changes in demo according to your comments.
>> >
>>
>> thanks.
>>
>>
>> > I will do 'gsoc' tag on my branch to distinguish current gsoc work from
>> > future changes, as today is 'firm pencil down' date.
>> >
>> > ok.
>>
>>
>> > I would like to do additional changes in oauth module.
>> >
>>
>> nice :-).
>>
>>
>> > Access token should be connected with some kind of 'scope' that
>> specifies
>> > a range of  resources it allows to access or operations to invoke.
>> >
>> > For example in RestEasy implementation access token is associated with
>> set
>> > of principal roles.
>> > If there is valid access token in the request, oauth filter set user
>> roles
>> > associated with token to ServletRequest and let pass it further.
>> >
>> > I'm wondering how it can be done in cxf. I would appreciate some help on
>> > that.
>> >
>> >
>> Believe it or not but I've changed all that as part of the work I've been
>> doing recently.
>> Specifically, I've removed the association of roles & principal with
>> access
>> tokens.
>> Instead I've introduced permissions which is really what can be requested
>> by
>> a consumer and publicly
>> shown to the end user, example, "Are you ok with letting 3rd party
>> consumer
>> "doSomething" with your resources" ?. where "doSometing" can be pretty
>> much
>> any expression like "updateYourAlbom", etc, while roles could be "user",
>> etc.
>>
>> It is then a job of filters/login modules/etc to convert permissions into
>> the actual roles, as well as retrieve an authenticated Principal.
>>
>> I've also added "scopes" which are URIs, which I 'borrowed' from the
>> Google
>> docs. Example, a consumer may request a permission to "doSomething" at
>> http://bar. If authorized it can access http://bar, http://bar/1,
>> http://bar/2
>>
>> Does it help ? Any comments ?
>>
>> cheers, Sergey
>>
>>
>> Cheers,
>> > Lukasz
>> >
>> > 2010/8/14 Łukasz Moreń <[hidden email]>
>> >
>> > > Hi Sergey,
>> > >
>> > > Thanks for feedback. More comments below.
>> > >
>> > > 2010/8/13 Sergey Beryozkin <[hidden email]>
>> > >
>> > >> Hi Lucasz
>> > >>
>> > >>
>> > >> 2010/8/13 Łukasz Moreń <[hidden email]>
>> > >>
>> > >> > Hi Sergey,
>> > >> >
>> > >> > I've added some improvements to demo and protocol implementation.
>> > >> > I hope this time build will be fine.
>> > >> >
>> > >> >
>> > >> I've had no problems building this time. Thanks for sorting the build
>> > >> issues
>> > >> out.
>> > >> The only minor hitch is that I had to add
>> > >> <relativePath>../../pom.xml</relativePath>
>> > >> to both oauth client & server demo modules in order to build them.
>> Not
>> > >> sure
>> > >> if I could've built them by running
>> > >> 'mvn install' from  samples directly (in
>> > distribution/target/.../samples)
>> > >> given that we also have to use -Pspring3. Not a big issue - please
>> > recheck
>> > >> just in case...
>> > >>
>> > >
>> > > Yes, I think I need to add relativePath to pom.
>> > >
>> > >
>> > >>
>> > >> So I've started server and client web apps and run the demo easily.
>> So
>> > >> it's
>> > >> all nearly there, and IMHO the project is in a good shape, as far as
>> > GSOC
>> > >> is
>> > >> concerned. Hopefully you can continue on preparing it to the move to
>> the
>> > >> trunk :-)
>> > >>
>> > >> Here're some comments to the existing demo - see if you could do
>> > anything
>> > >> till 16th, if not then it can be dealt with later on.
>> > >>
>> > >>
>> > > I will try do to as much as possible till 16-th. There is still plenty
>> to
>> > > do as I see from your commnets and
>> > > myself so missing things I will add later.
>> > >
>> > >
>> > >
>> > >> The client registration form requires a user to register a callback
>> URI.
>> > >> But
>> > >> I understand that a callback URI is only provided by a client, when
>> > >> requesting a temp/request token ? That said, requiring what I'd call
>> a
>> > >> 'connect' or "reply-to" URI registered during the (secure) client
>> > >> registration process may help with enforcing that the actual callback
>> > URI
>> > >> provided by the client *matches* the one provided at the
>> registration,
>> > >> using
>> > >> a startsWith function. I've seen it in the Facebook docs and I also
>> did
>> > >> something similar in my own project - is this the idea ?
>> > >>
>> > > If yes - then please check it's a startsWith check that is used - but
>> > also
>> > >
>> > > consider making providing a callback URI optional at the client
>> > >> registration
>> > >
>> > > time
>> > >
>> > >
>> > > Yes, i used it for that reason. It can be jus passed with request
>> token
>> > > request. All current OAuth 1.0 servers I've seen need to preregister
>> > > callback URI,
>> > > and as you said they check if both uri matches.
>> > > There is also possibility to pass 'oob' (out of band) value as
>> callback
>> > URI
>> > > which means has been established via other means,
>> > > so then server use preregistered value. However I think this option is
>> > used
>> > > in case of native apps.
>> > >  .
>> > >
>> > >> The other thing is that a client key is also generated. This is
>> probably
>> > >> correct but I'm wondering would it make sense to let the consumer
>> > register
>> > >> its own key but the authorization server to only generate the shared
>> > >> secret.
>> > >> Consumer might also want to optionally provide its description such
>> as
>> > >> "OAuth 1.0 client" as in the demo, etc.  This might make it a bit
>> > simpler
>> > >> for a client (i.e, it will only have to manage a shared secret).
>> > >>
>> > >
>> > > Yes I think it makes sense. So far consumer key is just hash from
>> > > application name and user who registers consumer.
>> > >
>> > >
>> > >
>> > >> In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0
>> like
>> > >> thing where HTTPS is assumed ? I'd just consider removing this option
>> > and
>> > >> have only hmac-sha1 left.
>> > >>
>> > >
>> > > I think it's something similar, however there is no signatures in
>> OAuth
>> > 2.0
>> > > and  access_token is assumed to be short lived,
>> > > ideally one per request, issuing new tokens is done by refresh_token
>> > > parameter.
>> > >
>> > >
>> > >> This is probably it so far. I'm not very excited about JSPs being
>> used
>> > in
>> > >> the demo :-) but I guess it is not too bad and shows something that
>> many
>> > >> people would consider doing in practice.
>> > >>
>> > >
>> > > I was not sure about using JSP's neither:), but I wanted to show
>> > basically
>> > > how oauth could be added to existing apps
>> > >  and hadn't other idea how to replace them.
>> > >
>> > >
>> > >>
>> > >> Overall it is a really good effort toward helping CXF users to
>> > >> start/experiment with OAuth.
>> > >>
>> > >
>> > >
>> > > Cheers,
>> > > Lukasz
>> > >
>> > >
>> > >
>> > >>
>> > >> Thanks
>> > >>
>> > >> Sergey
>> > >>
>> > >>
>> > >> Cheers,
>> > >> > Lukasz
>> > >> >
>> > >> > 2010/8/13 Sergey Beryozkin <[hidden email]>
>> > >> >
>> > >> > > Hi Łukasz
>> > >> > >
>> > >> > > I can see the merges flowing :-), I'll be reviewing your work
>> > tonight;
>> > >> > >
>> > >> > > to the list : we've exchanged few private emails to do with build
>> > >> issues
>> > >> > I
>> > >> > > was encountering and Łukasz
>> > >> > >  addressed them fast; we also agreed that for the initial phase
>> > making
>> > >> a
>> > >> > > demo easy to understand and build upon was the main goal...
>> > >> > >
>> > >> > > cheers, Sergey
>> > >> > >
>> > >> > > 2010/8/5 Sergey Beryozkin <[hidden email]>
>> > >> > >
>> > >> > > > Hi Łukasz
>> > >> > > >
>> > >> > > > can you please fix checkstyle errors in the demo...
>> > >> > > > Re the callback uri : I think one of the providers on the
>> server
>> > is
>> > >> > > > configured with the callback URI
>> > >> > > >
>> > >> > > > thanks, Sergey
>> > >> > > >
>> > >> > > >
>> > >> > > > 2010/8/2 Łukasz Moreń <[hidden email]>
>> > >> > > >
>> > >> > > > >
>> > >> > > >> > Please update the demo so that the consume
>> > >> > > >>
>> > >> > > >> registers itself, plus supplies a callback itself with a
>> request
>> > >> token
>> > >> > > >> >  request
>> > >> > > >>
>> > >> > > >>
>> > >> > > >> callback url is passed in this request, however this request
>> is
>> > >> done
>> > >> > in
>> > >> > > >> backend through URLConnection so it's not visible at UI.
>> > >> > > >>
>> > >> > > >> Cheers, Lukasz
>> > >> > > >>
>> > >> > > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń <
>> > >> > > >> [hidden email]
>> > >> > > >> > napisał:
>> > >> > > >>
>> > >> > > >> > Hi,
>> > >> > > >> > I've committed changes I've made:
>> > >> > > >> > - added possibility to register new OAuth client
>> applications
>> > at
>> > >> > OAuth
>> > >> > > >> > server
>> > >> > > >> > - OAuth demos moved to distribution\src\main\samples\
>> > >> > > >> > - added README to OAuth demos
>> > >> > > >> > - fixes in pom.xml files
>> > >> > > >> >
>> > >> > > >> >  - fix the checkstyle errors and move the demo to the
>> > >> > > >> >
>> > >> > > >> > ""distribution/src/main/release/samples/"" area and also add
>> > >> Readme;
>> > >> > > >> after
>> > >> > > >> >
>> > >> > > >> > building the distribution (mvn install in
>> trunk/distribution)
>> > you
>> > >> > can
>> > >> > > >> >> easily
>> > >> > > >> >
>> > >> > > >> > verify the demo can be run by locating in the target.
>> > >> > > >> >
>> > >> > > >> >
>> > >> > > >> > fixed that, and added readme
>> > >> > > >> >
>> > >> > > >> >
>> > >> > > >> >> - add the oauth dependency in the parent pom so that the
>> > >> rs/oauth
>> > >> > > >> module
>> > >> > > >> >> can
>> > >> > > >> >
>> > >> > > >> > depend on it without specifying a version and have the demo
>> > >> client
>> > >> > > >> module
>> > >> > > >> >
>> > >> > > >> > depending on rt/rs/oauth module instead (similarly to the
>> > server
>> > >> > one)
>> > >> > > >> >
>> > >> > > >> >
>> > >> > > >> > done, hovewer demo client don't need to depend on
>> rt/rs/oauth
>> > as
>> > >> it
>> > >> > > >> doesn't
>> > >> > > >> > use cxf functionality, just on oauth libraries
>> > >> > > >> >
>> > >> > > >> >
>> > >> > > >> >> - during the main build please use the Spring version CXF
>> > >> depends
>> > >> > > upon
>> > >> > > >> and
>> > >> > > >> >
>> > >> > > >> > use its -Pspring3 profile to build for the deployment into
>> GAE
>> > >> > > >> >
>> > >> > > >> >
>> > >> > > >> > changed, both client and server demos needs to be build with
>> > >> > -Pspring3
>> > >> > > >> for
>> > >> > > >> > local jetty run and GAE as well.
>> > >> > > >> > Otherwise I would need use different spring config files for
>> > >> spring
>> > >> > > 2.5
>> > >> > > >> and
>> > >> > > >> > 3.0.x
>> > >> > > >> >
>> > >> > > >> > Cheers, Lukasz
>> > >> > > >> >
>> > >> > > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin <
>> > >> > > >> > [hidden email]> napisał:
>> > >> > > >> >
>> > >> > > >> > Hi
>> > >> > > >> >>
>> > >> > > >> >> 2010/7/29 Łukasz Moreń <[hidden email]>
>> > >> > > >> >>
>> > >> > > >> >> > Hi,
>> > >> > > >> >> >
>> > >> > > >> >> > I'm still working on refactoring and changes in demo you
>> > >> > suggested.
>> > >> > > >> >> > I will likely update it tomorrow.
>> > >> > > >> >> >
>> > >> > > >> >> > I'll likely ask for some modifications but perhaps if you
>> > >> could
>> > >> > > start
>> > >> > > >> >> with
>> > >> > > >> >> > > updating the demo
>> > >> > > >> >> >
>> > >> > > >> >> > such that a consumer initiates its own registration with
>> the
>> > >> > OAuth
>> > >> > > >> >> server.
>> > >> > > >> >> >
>> > >> > > >> >> >
>> > >> > > >> >> > I'm going to put high effort on my GSoC project next
>> weeks.
>> > I
>> > >> > would
>> > >> > > >> >> really
>> > >> > > >> >> > appreciate,
>> > >> > > >> >> > if you would have some more modifications
>> > requests/directions
>> > >> > which
>> > >> > > >> >> project
>> > >> > > >> >> > should go, as you have limited time next week
>> > >> > > >> >> > and current changes will not take long.
>> > >> > > >> >> >
>> > >> > > >> >> > From what I'm seeing, I need to cover spec with code,
>> > simplify
>> > >> > > >> >> > configuration
>> > >> > > >> >> > and do more testing.
>> > >> > > >> >> >
>> > >> > > >> >> >
>> > >> > > >> >> I have to sign off now...Please update the demo so that the
>> > >> > consumer
>> > >> > > >> >> registers itself, plus supplies a callback itself with a
>> > request
>> > >> > > token
>> > >> > > >> >> request, add README and it would let users start
>> > experimenting.
>> > >> > IMHO
>> > >> > > >> the
>> > >> > > >> >> initial phase can be considered complete once there's a
>> demo
>> > >> there
>> > >> > > >> which
>> > >> > > >> >> can
>> > >> > > >> >> show users what they need to do.
>> > >> > > >> >>
>> > >> > > >> >> We can then discuss things further
>> > >> > > >> >>
>> > >> > > >> >> cheers, Sergey
>> > >> > > >> >>
>> > >> > > >> >>
>> > >> > > >> >>
>> > >> > > >> >> > Cheers,
>> > >> > > >> >> > Lukasz
>> > >> > > >> >> >
>> > >> > > >> >> > 2010/7/29 Daniel Kulp <[hidden email]>
>> > >> > > >> >> >
>> > >> > > >> >> > >
>> > >> > > >> >> > > You probably just need to change your deps to:
>> > >> > > >> >> > >
>> > >> > > >> >> > > geronimo-servlet_3.0_spec
>> > >> > > >> >> > >
>> > >> > > >> >> > >
>> > >> > > >> >> > > Dan
>> > >> > > >> >> > >
>> > >> > > >> >> > >
>> > >> > > >> >> > > On Thursday 29 July 2010 3:35:57 pm Sergey Beryozkin
>> > wrote:
>> > >> > > >> >> > > > Hi Lucasz
>> > >> > > >> >> > > >
>> > >> > > >> >> > > > I can't build the oauth sandbox project, seeing
>> > >> > > >> >> > > > [ERROR] FATAL ERROR
>> > >> > > >> >> > > > [INFO]
>> > >> > > >> >> > > >
>> > >> > > >> >> >
>> > >> > > >>
>> > >> >
>> > ------------------------------------------------------------------------
>> > >> > > >> >> > > > [INFO] Error building POM (may not be this project's
>> > POM).
>> > >> > > >> >> > > >
>> > >> > > >> >> > > >
>> > >> > > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
>> > >> > > >> >> > > > POM Location:
>> > >> > > >> >> > > >
>> > >> > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
>> > >> > > >> >> > > > Validation Messages:
>> > >> > > >> >> > > >
>> > >> > > >> >> > > >     [0]  'dependencies.dependency.version' is missing
>> > for
>> > >> > > >> >> > > >
>> org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
>> > >> > > >> >> > > >
>> > >> > > >> >> > > >
>> > >> > > >> >> > > > Reason: Failed to validate POM for project
>> > >> > > >> >> > org.apache.cxf:cxf-rt-rs-oauth
>> > >> > > >> >> > > > at
>> > >> > > >>
>> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
>> > >> > > >> >> > > >
>> > >> > > >> >> > > > so I can not review the latest merge, sorry. I
>> could've
>> > >> tried
>> > >> > > to
>> > >> > > >> fix
>> > >> > > >> >> > this
>> > >> > > >> >> > > > issue but I'm not sure if you're finished with the
>> > >> > refactoring
>> > >> > > >> just
>> > >> > > >> >> > yet.
>> > >> > > >> >> > > > I'll be travelling tomorrow and I'll have some very
>> > >> limited
>> > >> > > time
>> > >> > > >> >> during
>> > >> > > >> >> > > the
>> > >> > > >> >> > > > evenings next week but I'll try to provide some
>> feedback
>> > >> at
>> > >> > > least
>> > >> > > >> >> > > >
>> > >> > > >> >> > > > cheers, Sergey
>> > >> > > >> >> > > >
>> > >> > > >> >> > > >
>> > >> > > >> >> > > > 2010/7/26 Sergey Beryozkin <[hidden email]>
>> > >> > > >> >> > > >
>> > >> > > >> >> > > > > Hi Łukasz
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > > 2010/7/26 Łukasz Moreń <[hidden email]>
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > > Hi Sergey,
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > >> I'm really sorry for such commit, I know it
>> shouldn't
>> > >> > > happen.
>> > >> > > >> I
>> > >> > > >> >> > turned
>> > >> > > >> >> > > > >> off checkstyle as i couldn't configure it properly
>> on
>> > >> > > intellij
>> > >> > > >> >> and
>> > >> > > >> >> > it
>> > >> > > >> >> > > > >> was annoying during development.
>> > >> > > >> >> > > > >> I will apply proper changes ASAP.
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> no worries at all, I've broken the real builds
>> with
>> > >> > > checkstyle
>> > >> > > >> >> > errors
>> > >> > > >> >> > > so
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > > many times and it is the CXF sandbox after :-)
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > >> According to the demo, I built it as usual
>> web-app,
>> > if
>> > >> it
>> > >> > > >> worked,
>> > >> > > >> >> > use
>> > >> > > >> >> > > > >> this same sources to deploy on GAE.
>> > >> > > >> >> > > > >> However because of GAE restrictions it always
>> needs
>> > >> minor
>> > >> > > >> changes
>> > >> > > >> >> > > > >> before deploy, i.e. GAE can't read configuration
>> > files
>> > >> > such
>> > >> > > >> as:
>> > >> > > >> >> > > > >> cxf-extension-http.xml
>> > >> > > >> >> > > > >> from jars, so I copied it to WEB-INF folder.
>> > >> > > >> >> > > > >> Commited to svn version does not depend on GAE SDK
>> > and
>> > >> can
>> > >> > > be
>> > >> > > >> run
>> > >> > > >> >> > > > >> locally with jetty:run.
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> Yes, I warned about server configuration part:). I
>> > will
>> > >> > take
>> > >> > > >> care
>> > >> > > >> >> to
>> > >> > > >> >> > > > >> make it simpler.
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > > I do not think it is too complicated - the
>> > >> simplification
>> > >> > can
>> > >> > > >> be
>> > >> > > >> >> done
>> > >> > > >> >> > > > > once the whole flow is sound...
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > >> So far, oauth consumer properties are hardcoded
>> and
>> > >> > injected
>> > >> > > >> into
>> > >> > > >> >> > > > >> oauth provider, as I think it is not oauth library
>> > >> > > >> responsibility
>> > >> > > >> >> to
>> > >> > > >> >> > > > >> deal with consumer registration.
>> > >> > > >> >> > > > >> Hovewer for demo it would be good to have
>> something
>> > >> like
>> > >> > > that.
>> > >> > > >> I
>> > >> > > >> >> > would
>> > >> > > >> >> > > > >> do registration form at the server as it is done
>> by
>> > >> > current
>> > >> > > >> big
>> > >> > > >> >> > oauth
>> > >> > > >> >> > > > >> implementations.
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > > I agree that conceptually the registration of
>> > consumers
>> > >> is
>> > >> > a
>> > >> > > >> >> separate
>> > >> > > >> >> > > > > issue. But it is part of the solution that users
>> will
>> > be
>> > >> > > >> >> eventually
>> > >> > > >> >> > > > > offering so just showing them that the consumers
>> have
>> > to
>> > >> go
>> > >> > > and
>> > >> > > >> >> > > register
>> > >> > > >> >> > > > > themselves with help people with coming up with
>> some
>> > >> custom
>> > >> > > >> >> > > registration
>> > >> > > >> >> > > > > forms, etc. The registration does not have to be
>> done
>> > at
>> > >> > the
>> > >> > > >> >> server
>> > >> > > >> >> > > > > hosting the resource, it is just important for the
>> > OAuth
>> > >> > > >> provider
>> > >> > > >> >> be
>> > >> > > >> >> > > > > able to get to the consumer details. I'm fine with
>> > >> assuming
>> > >> > > at
>> > >> > > >> the
>> > >> > > >> >> > > > > moment that the registration handler is collocated
>> > with
>> > >> the
>> > >> > > >> >> > > > > endpoints/providers enforcing OAuth flow.
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > > But the callback uri which is being injected at the
>> > >> moment
>> > >> > > >> should
>> > >> > > >> >> go
>> > >> > > >> >> > > > > anyway given that it is part of the actual flow,
>> > >> > > specifically,
>> > >> > > >> the
>> > >> > > >> >> > > > > consumer provides it during the request token
>> request
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > >> Recently I've noticed that Camel have done oauth
>> > client
>> > >> as
>> > >> > > >> >> well:):
>> > >> > > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> Thanks much for review, and hints.
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > > thanks for your effort :-)
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > > Sergey
>> > >> > > >> >> > > > >
>> > >> > > >> >> > > > >> Cheers,
>> > >> > > >> >> > > > >> Lukasz
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> 2010/7/24 Sergey Beryozkin <[hidden email]
>> >:
>> > >> > > >> >> > > > >> > Hi Łukasz
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > Sorry for a delay,  I should've come back
>> earlier
>> > to
>> > >> > you.
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > I've run the demo hosted at the app engine and I
>> > >> think
>> > >> > > from
>> > >> > > >> the
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> education
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > point of view it is a good demo and it is handy
>> one
>> > >> does
>> > >> > > not
>> > >> > > >> >> even
>> > >> > > >> >> > > has
>> > >> > > >> >> > > > >> > to build anything in order to try it.
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > I've had a problem building the rt/rs/oauth
>> tests -
>> > >> > > there's
>> > >> > > >> a
>> > >> > > >> >> > bunch
>> > >> > > >> >> > > of
>> > >> > > >> >> > > > >> > CheckStyle errors. Can you please build
>> > >> > sandbox/oauth_1.0a
>> > >> > > >> from
>> > >> > > >> >> > the
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> trunk,
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > just do 'mvn install -Pfastinstall' and then do
>> > 'mvn
>> > >> > > >> install'
>> > >> > > >> >> from
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> rt/rs/ ?
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > One other thing, please move the demo to
>> > >> > > >> >> > > > >> > "distribution/src/main/release/samples/" as well
>> > add
>> > >> > > Readme
>> > >> > > >> to
>> > >> > > >> >> it.
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > Also I can not build the demo too, the client
>> build
>> > >> > fails
>> > >> > > >> with
>> > >> > > >> >> the
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> following
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > dependency missing
>> > >> > > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > But I'm seeing an oauth repo in the rt/rs/oauth
>> > pom,
>> > >> > have
>> > >> > > >> you
>> > >> > > >> >> > built
>> > >> > > >> >> > > it
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> in
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > the GAE dev environment ?
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > Can you please spend a bit of time on cleaning
>> the
>> > >> build
>> > >> > a
>> > >> > > >> bit
>> > >> > > >> >> :
>> > >> > > >> >> > > > >> > - fix the checkstyle errors and move the demo to
>> > the
>> > >> > > >> >> > > > >> > ""distribution/src/main/release/samples/"" area
>> and
>> > >> also
>> > >> > > add
>> > >> > > >> >> > Readme;
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> after
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > building the distribution (mvn install in
>> > >> > > >> trunk/distribution)
>> > >> > > >> >> you
>> > >> > > >> >> > > can
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> easily
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > verify the demo can be run by locating in the
>> > target.
>> > >> > > >> >> > > > >> > - add the oauth dependency in the parent pom so
>> > that
>> > >> the
>> > >> > > >> >> rs/oauth
>> > >> > > >> >> > > > >> > module
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> can
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > depend on it without specifying a version and
>> have
>> > >> the
>> > >> > > demo
>> > >> > > >> >> client
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> module
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > depending on rt/rs/oauth module instead
>> (similarly
>> > to
>> > >> > the
>> > >> > > >> >> server
>> > >> > > >> >> > > one)
>> > >> > > >> >> > > > >> > - during the main build please use the Spring
>> > version
>> > >> > CXF
>> > >> > > >> >> depends
>> > >> > > >> >> > > upon
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> and
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > use its -Pspring3 profile to build for the
>> > deployment
>> > >> > into
>> > >> > > >> GAE
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > As far as the demo is concerned. I looked at the
>> > >> server
>> > >> > > part
>> > >> > > >> >> and
>> > >> > > >> >> > it
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> looks
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > complicated enough :-) but I think it makes
>> sense
>> > to
>> > >> me.
>> > >> > > >> I'll
>> > >> > > >> >> > likely
>> > >> > > >> >> > > > >> > ask
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> for
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > some modifications but perhaps if you could
>> start
>> > >> with
>> > >> > > >> updating
>> > >> > > >> >> > the
>> > >> > > >> >> > > > >> > demo such that a consumer initiates its own
>> > >> registration
>> > >> > > >> with
>> > >> > > >> >> the
>> > >> > > >> >> > > > >> > OAuth
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> server :
>> > >> > > >> >> > > > >> > I can see at the moment an oauth provider is
>> > injected
>> > >> > with
>> > >> > > >> some
>> > >> > > >> >> > > sample
>> > >> > > >> >> > > > >> > consumer properties. I'm not sure what is the
>> best
>> > >> way
>> > >> > to
>> > >> > > do
>> > >> > > >> it
>> > >> > > >> >> :
>> > >> > > >> >> > > may
>> > >> > > >> >> > > > >> > be
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> the
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > server can return a registration form or the
>> client
>> > >> can
>> > >> > > just
>> > >> > > >> >> push
>> > >> > > >> >> > > the
>> > >> > > >> >> > > > >> > registration info itself.
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > Overall I think it is a good progress indeed
>> > >> especially
>> > >> > > >> given
>> > >> > > >> >> the
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> complexity
>> > >> > > >> >> > > > >>
>> > >> > > >> >> > > > >> > of the whole effort.
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > thanks, Sergey
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> > On Wed, Jul 14, 2010 at 10:14 PM, Łukasz Moreń <
>> > >> > > >> >> > > [hidden email]
>> > >> > > >> >> > > > >> >
>> > >> > > >> >> > > > >> >wrote:
>> > >> > > >> >> > > > >> >> Hi all,
>> > >> > > >> >> > > > >> >>
>> > >> > > >> >> > > > >> >> I have managed to create two sample OAuth
>> > >> aplications:
>> > >> > > >> >> > > > >> >> ordinary OAuth 1.0a client:
>> > >> > > >> >> http://www.oauthclient.appspot.com
>> > >> > > >> >> > > > >> >> and authorization server that uses CXF OAuth
>> > module:
>> > >> > > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com
>> > >> > > >> >> > > > >> >>
>> > >> > > >> >> > > > >> >> Both sample applications and changes in oauth
>> > >> library
>> > >> > are
>> > >> > > >> >> > commited
>> > >> > > >> >> > > in
>> > >> > > >> >> > > > >> >> sandbox.
>> > >> > > >> >> > > > >> >>
>> > >> > > >> >> > > > >> >> OAuth configuration in sample authorization
>> server
>> > >> app
>> > >> > > >> looks a
>> > >> > > >> >> > bit
>> > >> > > >> >> > > > >> >> awfully but I think most of that can be hidden
>> and
>> > >> done
>> > >> > > out
>> > >> > > >> of
>> > >> > > >> >> > > band.
>> > >> > > >> >> > > > >> >> There is still some areas in specification not
>> > >> covered
>> > >> > by
>> > >> > > >> >> > > > >> >> implementation, so I would like to take care of
>> > that
>> > >> in
>> > >> > > >> next
>> > >> > > >> >> > steps.
>> > >> > > >> >> > > > >> >>
>> > >> > > >> >> > > > >> >> Thanks in advance for some feedback.
>> > >> > > >> >> > > > >> >>
>> > >> > > >> >> > > > >> >> Cheers,
>> > >> > > >> >> > > > >> >> Lukasz
>> > >> > > >> >> > >
>> > >> > > >> >> > > --
>> > >> > > >> >> > > Daniel Kulp
>> > >> > > >> >> > > [hidden email]
>> > >> > > >> >> > > http://dankulp.com/blog
>> > >> > > >> >> > >
>> > >> > > >> >> >
>> > >> > > >> >>
>> > >> > > >> >
>> > >> > > >> >
>> > >> > > >>
>> > >> > > >
>> > >> > > >
>> > >> > >
>> > >> >
>> > >>
>> > >
>> > >
>> >
>>
>
>
Loading...