+1 (non-binding) On Tue, May 4, 2010 at 3:48 PM, Simone Gianni <simo...@apache.org> wrote:
> I would like to present for a vote the following proposal to be sponsored > by > the Shindig PMC for a new "Amber" podling. The goal is to build a > community > around delivering a OAuth v1.0, v1.0a and upcoming v2.0 API and > implementation > > The proposal is available on the wiki at and included below: > > http://wiki.apache.org/incubator/AmberProposal > > [] +1 to accept Amber into the Incubator > [] 0 don't care > [] -1 object and reason why. > > Thanks, > Simone Gianni > > --- Proposal text from the wiki --- > > = Amber = > == Abstract == > The following proposal is about Apache Amber, a Java development framework > mainly aimed to build OAuth-aware applications. After a brief explanation > of > the OAuth protocol, the following proposal describes how Apache Amber > solves > issues related to the implementation of applications that adhere to such > specification. > > == Proposal == > Amber will have no or negligible dependencies and will provide both an API > specification for, and an unconditionally compliant implementation of, the > OAuth v1.0, v1.0a and v2.0 specifications. The API specification will be > provided as a separate JAR file allowing re-use by other developers and > permits configuration: > > * by XML > * by the Java JAR Services "ServiceLoader" mechanism > * programmatically > > The API component specifies that an implementation must provide default > classes for Provider, Consumer and Token objects making Amber easy to > integrate with existing infrastructure and OAuth client interactions > possible with virtually no additional configuration. The API is flexible > enough to allow programmatic customisation or replacement of much of the > implementation, including the default HTTP transport. > > Amber will provide both client and server functionality, enabling > developers > to deploy robust OAuth services with minimal effort. > > == Background == > Roughly, OAuth is a mechanism that allows users to share their private > resources, like photo, videos or contacts, stored on a site with another > site avoiding giving their username and password credentials. Hence, from > the user point-of-view, OAuth could be the way to improve their experience > across different applications with an enhanced privacy and security control > in a simple and standard method from desktop and web applications. The > protocol was initially developed by the oauth.net community and now is > under > IETF standardization process. > > The main idea behind OAuth is represented by the token concept. Each token > grants access to a site, for a specific resource (or a group of resources), > and for a precise time-interval. The user is only required to authenticate > with the Provider of their original account, after which that entity > provides a re-usable to token to the Consumer who can use it to access > resources at the Provider, on the users behalf. > > Moreover, the total transparency to the user, that is completely unaware of > using the protocol, represents one of the main valuable characteristics of > the specification. > > Apache Amber community aims not just to create a simple low-level library, > but rather to provide a complete OAuth framework easy to use with Java > code, > on top of which users can build new-generation killer applications. > > There are currently three implementation efforts going on in ASF for OAuth > v1. A stable implementation of OAuth v1 is present in Apache Shindig, but > it > is not actively developed and not shared with other projects. A Lab having > Simone Tripodi as its PI is working on an implementation for an OAuth > library that could be used by other products. Zhihong Zhang wrote an OAuth > plugin for JMeter. > > At the same time, on the IETF OAuth v2 mailing list, other people expressed > interest for a Java API and implementation, among them two Apache > committers > and one active contributor. > > Outside the ASF there are three known Java OAuth 1.0/1.0a libraries > > * The oauth.net reference implementation by John Kristian, Praveen > Alavilli > and Dirk Balfanz. > * OAuth SignPost - a simple OAuth message signing client for Java and > Apache HttpComponents by Matthias Kaeppler. > * OAuth Scribe - a simple OAuth client by Pablo Fernandez. > * asmx-oauth (on google code) - a complete open source OAuth 1.0 Consumer > and Service Provider implementation provided by Asemantics Srl (Simone > Tripodi was involved). > > == Rationale == > The key role played by the OAuth specification, within the overall Open > Stack technologies, jointly with its high degree of adoption and maturity, > strongly suggest having an Apache leaded incubator for suitable reference > implementation. Furthermore, the OAuth specification is currently gaining > value due to its involvement in a standardization process within the IETF, > as the actual internet draft. Having the Apache Amber as an Apache > Incubator > could be an opportunity to enforce the actual Apache projects that already > reference other IETF specifications. > > Moreover, other Apache Projects, such as Abdera, Shindig and Wink, are > currently supporting the OAuth protocol, so having the OAuth Apache > reference implementation should benefit not only the project and the > related > commmunity itself, but also existing and active Apache projects. Combining > efforts from existing Apache projects is a logical step. > > Providing an Apache licensed library will make it easier for other Apache > projects to integrate OAuth, like, for example: > > * It could be the foundation framework for Consumer developers; > * It could be the foundation Framework for Service Provider developers; > * It could be integrated into Apache Shindig; > * It could be integrated into Apache Abdera; > * It could be integrated into Apache Wink; > * It could be integrated into Spring Security; > * It could be integrated with JAAS (and be deployed in Tomcat-based > Servlet > Containers); > * It could be integrated into Jakarta JMeter; > * Apache Wookie (incubating) expressed interest in an OAuth > implementation; > * Most importantly, it could be a backend for dozens of useful new > innovative projects that no-one has envisioned yet. > > = Current Status = > Code in the [[http://svn.apache.org/viewvc/labs/amber|Amber Lab]] and in > Apache Shindig is already licensed to the ASF. More contributions of code > and ideas are expected from initial committers, so an implementation of > OAuth v1 should be reached quickly, and act as a base for an OAuth v2 API > and implementation. > > == Meritocracy == > As a majority of the initial project members are existing ASF committers, > we > recognize the desirability of running the project as a meritocracy. We are > eager to engage other members of the community and operate to the standard > of meritocracy that Apache emphasizes; we believe this is the most > effective > method of growing our community and enabling widespread adoption. > > == Community == > The amount of interest in the OAuth protocol from enterprises, social > networks and individual developers suggests a strong community will develop > once the framework to support one is laid. > > == Core Developers == > * Simone Gianni <simoneg at apache dot org> (Semeru) > * Simone Tripodi <simonetripodi at apache dot org> (Sourcesense) > * Stuart "Pid" Williams <pid at pidster dot com> (Clubtickets.com) > * David Recordon <recordond at apache dot org> (Facebook) > * Tommaso Teofili <tommaso at apache dot org> (Sourcesense) > > == Alignment == > The purpose of the project is to develop an implementation of OAuth v1 and > OAuth v2 that can be used by other Apache projects. > > = Known Risks = > == Orphaned Products == > Being OAuth a standard receiving a lot of interest, and being v2 an ongoing > work in IETF, we believe there is minimal risks of this work becoming > non-strategic and the contributors are confident that a larger community > will form within the project in a relatively short space of time. > > == Inexperience with Open Source == > All of the committers have experience working in one or more open source > projects inside and outside ASF. > > == Homogeneous Developers == > The list of initial committers are geographically distributed across the > U.S. and Europe with no one company being associated with a majority of the > developers. Many of these initial developers are experienced Apache > committers already and all are experienced with working in distributed > development communities. > > == Reliance on Salaried Developers == > To the best of our knowledge, none of the initial committers are being paid > to develop code for this project. > > == Relationships with Other Apache Products == > A number of existing ASF projects could benefit from an OAuth > implementation, including Apache Shindig, Apache Abdera, Apache Wink, > Jmeter > which are already using partial and non standardized OAuth implementations. > Basically any other server-side framework or application could benefit by > using Amber. It is hoped that members of those projects will be interested > in contributing to and adopting this implementation. > > == A Excessive Fascination with the Apache Brand == > Amber fits naturally in the ASF because : > > * It is an implementation of an open standard > * It is a server component on which many other projects can depend on > > = Documentation = > [1] More information about OAuth can be found here:<<BR>> > http://www.oauth.net/ > > [2] The IETF discussion about the emerging OAuth v2.0 specification is > occuring on this mailing list<<BR>> oa...@ietf.org > > = Initial Source = > The intial source comprises code developed inside Apache Labs, other Apache > projects and contributed under the CLA. > > = Source and Intellectual Property Submission Plan = > Source code will be moved from SVN space of Apache Labs, Apache Shindig and > other appropriately licensed sources inside the SVN space of the podling. > > = External Dependencies = > None known > > = Cryptography = > The project will use cryptographic utilities available as standard in Java > 6. > > = Required Resources = > * Mailing lists > * amber-private (with moderated subscriptions) > * amber-dev > * amber-user > * amber-commits > * Subversion directory > * https://svn.apache.org/repos/asf/incubator/amber > * Website > * Confluence (AMBER) > * Issue Tracking > * JIRA (AMBER) > > = Initial Committers = > Names of initial committers with affiliation and current ASF status: > > * Simone Gianni <simoneg at apache dot org> (Semeru) > * Simone Tripodi <simonetripodi at apache dot org> (Sourcesense) > * Stuart "Pid" Williams <pid at pidster dot com> (Clubtickets.com) (CLA > filed) > * David Recordon <recordond at apache dot org> (Facebook) > * Tommaso Teofili <tommaso at apache dot org> (Sourcesense) > * Paul Lindner <lindner at inuus dot com> (LinkedIn) > * Pablo Fernandez <fernandezpablo85 at gmail dot com> (LinkedIn) > > = Sponsors = > == Champion == > * Brian McCallister <brianm at apache dot org> > > == Nominated Mentors == > * Henning Schmiedehausen <henning at apache dot org> > * Jean-Frederic Clere <jfclere at gmail dot com> > * Gianugo Rabellino <gianugo at apache dot org> > * David Jencks <djencks at apache dot org> (Waiting on IPMC) > > == Sponsoring Entity == > * Shindig PMC - Confirmed Apr 29, 2010 > > = Other interested people = > * Saleem Shafi <mshafi at paypal dot com> > * Chirag Shah (Apache Shindig Committer) > * Greg Brail <gbrail at sonoasystems dot com> >
