2010/11/16 Ivo Ladage-van Doorn <Ivo.Ladage-vanDoorn at gxsoftware.com>: > Hi All, > > > I?m looking in more detail to the oAuth improvements scheduled for 0.1.0. > Currently, oAuth ?provisioning is implemented by Shindig which registers an > oAuth servlet that supports generating the request tokens, authorizing > tokens and exchanging request for access tokens. Despite the fact that this > is not yet completely implemented (i.e. three legged oAuth is not yet > supported), we need to think about how we should position oAuth support in > Amdatu. > > In my opinion, oAuth support (client-side and server-side) should be > implemented completely independent from OpenSocial, Shindig, Gadgets, etc.
Agreed, I'd like to see this standalone. > Any (REST, gadget. etc) service should be able to authenticate consumers > against oAuth and register itself as an oAuth provider. Consumers might be > gadgets but could very well be other REST or OSGi services. Yes, I'd also like a service API for requesting tokens and doing signed requests. > So my proposal would be to move oAuth to a separate independent oAuth bundle > and from the opensocial project to the amdatu-authorization project. oAuth > actually is about authentication, not authorization, but that is more of a > naming issue of the project I think (?amdatu-authorization&authentication?). > It certainly doesn?t belong to amdatu-opensocial or amdatu-web, and also not Isn't it a subproject in its own right? I'm not really clear on what the scope, purpose or responsibility of amdatu-authorization is. I think a subproject should represent be a coherent set of bundles that perform a function (call it a composite if you will) and I do not yet see that for this one.. eg oauth should not have anything to do with a login gadget. The former is more of a generic service where the latter is a specific application level component. feels like layer skipping to me. > in amdatu-core I think. Furthermore, I would like to use the net.oauth > library in that bundle (not Scribe since it doesn?t support oAuth > provisioning). See also issue http://jira.amdatu.org/jira/browse/AMDATU-181 It does not seem to have an SPI for the HTTP wire which is kind of a shame. In general I think we should guard against too many ad-hoc point-to-point connections all over the place. That will create a configuration/deployment/ configuration nightmare. The again, neither does scribe it appears :) Regards, Bram
