Hi Jacques, The LDAP plugin can be split to 2 parts, LDAP and CAS client. The LDAP part can be removed, because Andrian Crum implemented it in framework/security, he insisted it's earlier than mine, I agree now. The CAS client can be merged into passport plugin. Personally I think the CAS protocol is the origin of OAuth2 and many others, and it's stricter than OAuth2 as its service token can be used/validated only once, to prevent naughty children in Yale University reuse the service tokens, well typically access token in OAuth2 has a much longer life time (from hours to month).
The CAS plugin I mentioned is a cas-server, to make OFBiz as a central OAuth2 provider. It's not related to OFBIZ-10307, it's a part of WebPOS2 contribution I promised in last year. Adding method attribute in request map (OFBIZ-10438) is the 1st step, CAS plugin is the 2nd step, OpenAPI (swagger) plugin is the 3rd step, then the WebPOS2 (Angular) plugin, and perhaps a Wechat/Facebook (React) mini app further. Not in a hurry, we can achieve it step by step :) Briefly, this belongs to mobile support line. I'll try to open a blockchain support line when community has common interests in blockchain area. Kind Regards, Shi Jinghai -----邮件原件----- 发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] 发送时间: 2018年8月20日 15:59 收件人: dev@ofbiz.apache.org 主题: Re: OFBIZ-10307: Navigate from a domain to another with automated signed in authentication Hi Jinghai, I'm not sure why you want to create a CAS plugin. At least it's unrelated with OFBIZ-1307 Also are you aware of https://demo-trunk.ofbiz.apache.org/cmssite/cms/APACHE_OFBIZ_HTML#CASLDAP ? Does this still work? Do we need a new plugin? Thanks Jacques Le 19/08/2018 à 22:00, Shi Jinghai a écrit : > Thanks Jacques! > > If so, I'll release a CAS plugin to make OFBiz offer OAuth2 alliance next > week. I have cas 4.2.x version running in production environment, I'll > upgrade it to cas 5.2.x and then release it. > > > > -----邮件原件----- > 发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] > 发送时间: 2018年8月19日 18:34 > 收件人: dev@ofbiz.apache.org > 主题: Re: OFBIZ-10307: Navigate from a domain to another with automated signed > in authentication > > Hi Jinghai, > > Actually I did not pick auth0 (not to be confused with > https://en.wikipedia.org/wiki/OAuth) nor https://oauth.net/2/ because those > need a central > Identify server (as is the SAML protocol). > > I simply send a JWT token: https://en.wikipedia.org/wiki/JSON_Web_Token and > https://jwt.io/ to > > Please refer to OFBIZ-10307 "Navigate from a domain to another with automated > signed in authentication" > > Thanks for your interest. > > Jacques > > > Le 17/08/2018 à 09:02, Shi Jinghai a écrit : >> Hi Jacques, >> >> OK, I think the redis topic is jumped to next step. >> >> I have read the patches carelly, as a fan of Apereo CAS[1], I wonder why >> choose auth0[2] rather than CAS. And is the implement OAuth2 alliance? >> >> [1] https://github.com/apereo/cas >> [2] https://auth0.com/ >> >> Kind Regards, >> >> Shi Jinghai >> >> >> -----邮件原件----- >> 发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] >> 发送时间: 2018年8月16日 2:08 >> 收件人: dev@ofbiz.apache.org >> 主题: Re: OFBIZ-10307: Navigate from a domain to another with automated signed >> in authentication >> >> Hi Jinghai, >> >> The problem with the token master secret key is to guarantee its secrecy at >> max. >> >> We already discussed different solutions at https://s.apache.org/7yyR and >> https://s.apache.org/IBDM >> >> How is Redis more secure than Postgres for storing values? >> >> Thanks >> >> Jacques >> >> >> Le 15/08/2018 à 14:37, Shi Jinghai a écrit : >>> Dear Jacques, >>> >>> On how to store the Tokens, as a token is a key, value is the UserLogin >>> entity and/or other info, a key-value db, Redis[1] is a good choice. Redis >>> is no.7 in db ranking in Aug 2018[2], becomes more and more popular. >>> Goldman Sachs invested Redis team in last year[3]. It's common view now in >>> China that Redis is better than any others including Gemfire of Pivotal, >>> the railway ticket system of China replaced its 3 Gemfire clusters with 3 >>> Redis clusters last year and then there are much less complains on how >>> difficulties to buy spring festival tickets. >>> >>> Mr. Dai Haipeng contributed a Redis component in Jira[4]. >>> >>> [1] https://redis.io/ >>> [2] https://db-engines.com/en/ranking >>> [3] >>> https://redislabs.com/press/redis-labs-secures-44-million-funding-led-goldman-sachs-private-capital-investing-strengthen-database-leadership/ >>> [4] https://issues.apache.org/jira/browse/OFBIZ-9829 >>> >>> BTW, I'll try to review the patches. >>> >>> Kind Regards, >>> >>> Shi Jinghai >>> >>> -----邮件原件----- >>> 发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] >>> 发送时间: 2018年8月15日 15:09 >>> 收件人: dev@ofbiz.apache.org >>> 主题: OFBIZ-10307: Navigate from a domain to another with automated signed in >>> authentication >>> >>> Hi, >>> >>> Some time ago I created https://issues.apache.org/jira/browse/OFBIZ-10307. >>> >>> I asked for reviews but only Taher answered and he asked to know the goal >>> of this new feature. >>> >>> It was actually developed for a client who needed to get from one OFBiz >>> instance on a server (on a domain) to another OFBiz instance on another >>> server (on another domain) without having to sign up between the 2 while >>> keeping things secure. >>> >>> There could be many reasons why you want to split OFBiz application on >>> servers. In their case it was for performance issues. >>> >>> The technology used is as secure as possible. Like OAuth 2.0 it uses a >>> token but it does not need a middle authorization server (think to >>> two-factor >>> authentication) because it's only for OFBiz instances of the same version. >>> >>> To commit this work we need 1st to agree an commit the work done by Deepak >>> at OFBIZ-9833 "Token Based Authentication" that I use in my last patch. >>> >>> For me there is only one question outstanding: how to store the Token >>> secret. But this should not prevent us to commit Deepak's work. >>> >>> It's now a long time (9 months) since I started this work. And my last >>> patch is ready for a month. >>> >>> I crossed several issues which are now all resolved. So please review and >>> answer to this thread. >>> >>> Without negative comments well argumented I'll commit both OFBIZ-9833 and >>> OFBIZ-10307 in a week. You can always test and review later, we use RTC. >>> >>> Also a veto on a commit is always possible... Of course, as ever, a good >>> consensus is preferred. >>> >>> Let me know if you need more information about the goal. For the technical >>> details I think I already provided them the in OFBIZ-10307. >>> >>> Jacques >>>