OAuth 2.0 Provider

[Ryan Hinton]

Hello,

This is a general inquiry for CFML Developers.  I figured I would ask here since this is one of the only main groups I know for CFML Developers.  My apologies if this might be too off topic.

Lately, I have been reading about OAuth 2.0 in an effort to create the OAuth 2.0 Provider side.  However, I am either not looking in the right places on the internet or there simply not much out there for CFML developers to implement the OAuth 2.0 Provider portion.  Everything I am finding related to OAuth 2.0 and CFML is designed for the Client side and I find one Provider in CFML written for OAuth 1.0 in RIAForge.

Would any of you happen to have or can refer to shareable code or references to lead me in the right direction for creating the OAuth 2.0 to implement as a Provider?  Essentially, I need to create the OAuth server for Clients to connect to us.

Thank you for any assistance!
Ryan Hinton

[Jordan Michaels]

A while back when looking at oauth implementations for a project I invested in, I briefly considered writing a CFML port of Apache OLTU (https://oltu.apache.org/) to create an OAuth2 server. However, if you look deeply at OAuth 2, there's really very very little in the way of specifics when it comes to actually implementing an OAuth 2 API. (And it's not just me who says this). If you look at specific OAuth2 services available out there, they're all pretty unique in their implementations. OAuth2 is less of a specification, and more of a lose set of guidelines IMHO.

Even though Harry Klein's OAuth library was designed for Oauth 1.0, the guidelines for OAuth 2 are so loose I believe it's possible to create an OAuth 2 compatible server using it as well:
http://oauth.riaforge.org/

Some interesting drama with regards to the OAuth 2 specification:
http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/

For Oauth 2.0 clients, I found the Scribe project, written in Java, to be pretty flexible:
https://github.com/fernandezpablo85/scribe-java/

Again, I considered porting it to CFML, but I found that Joel Hill had already started to create a port, so I teamed up with him and fleshed out a fully realized Twitter API using scribe:
https://github.com/JoelHill/cfScribe

That was pretty fun to play with for a bit. =) I intended to create Facebook and Google API's using scribe as well, but I ran out of time playing with the Twitter API, so the Google and Facebook implementations have been moved to the "some day" folder...

Anyway... hope this helps.

-Jordan

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/5240e878-6298-4c72-b3d1-37ad686b0cf4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ryan Hinton]

Thank you for your feedback, Jordan.


It's slightly upsetting to see so many providers in what looks like almost every language but ours. lol I will look into Harry Klein's OAuth 1.0 version to see how much it would take to convert.  I have a time constraint on this, so it may not be doable, I hope it might be easy and quick enough to do. 

I have read that OAuth 1.0 is not as secure as OAuth 2.0.  Is this really true, especially if we are passing information via SSL?  What would truly be the downside of using the OAuth 1.0 version of Harry Klein's versus using OAuth 2.0? 

Thank you for any feedback.
Ryan Hinton

[Jordan Michaels]

Hi Ryan,

I hear you about the language support bro; hence why I was considering writing a port.

> I have read that OAuth 1.0 is not as secure as OAuth 2.0.

I would say the opposite is true. OAuth 2.0 is LESS secure than OAuth 1.0. In 1.0, you effectively have two layers of encryption. When you build the token in 1.0, you encrypt the token itself as part of the process, then when you send it over SSL, you encrypt it again. With 2.0, you don't encrypt the token at all, and rely exclusively on SSL to provide the encryption. As a server administrator, I can see why large companies would want this. Encryption requires CPU overhead to encrypt and decrypt. If you have two layers of encryption, you're requiring double the amount of CPU to process a request. If you're Facebook, Twitter, or Google, the OAuth 2.0 spec would be far more appealing because it requires half the amount of CPU to process the millions of requests you receive every minute. This results in to far less hardware, heat, and facilities required to serve the same number of visitors. That is almost certainly why the large companies involved in OAuth pushed for relaxed security in the 2.0 spec.

If you haven't yet, I'd recommend reading this:
http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/

"When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure."

If nothing else, it's some history that explains why things are the way they are with OAuth 2.0.

> email to lucee+un...@googlegroups.com <javascript:>.
> To post to this group, send email to lu...@googlegroups.com <javascript:>.

>
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/lucee/5240e878-6298-4c72-b3d1-37ad686b0cf4%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/2b34bdd8-941c-47bb-b099-a086a540e14c%40googlegroups.com.

[Ryan Hinton]

Excellent information about my digesting of misinformation!
I would just like to kick some bad posts in the teeth!  lol

Thank you, Jordan.  :-)

[Michael Offner]

My approach on this would be to adapt a Java solution and integrate that in CFML, maybe as an gateway...

Micha

--

[Ryan Hinton]

Hi Michael, we are currently implementing a Java version. We are looking between OLTU and CXF, both by Apache.

Let's hope for the best! :-)

You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/6KN9Yz5tkTc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG%2BEEBwaeAU_XzFYDonfnC_LS_OXW%3Dcnp_rgxwHEpmNt9pCTDA%40mail.gmail.com.

[Christopher Dawes]

will this be coming soon in lucee 4.x or 5.x??

On Saturday, 13 June 2015 22:35:26 UTC+10, Ryan Hinton wrote:

Hi Michael, we are currently implementing a Java version. We are looking between OLTU and CXF, both by Apache.

Let's hope for the best! :-)

On Jun 13, 2015 2:11 AM, "Michael Offner" <mic...@lucee.org> wrote:

My approach on this would be to adapt a Java solution and integrate that in CFML, maybe as an gateway...

Micha

Am Freitag, 12. Juni 2015 schrieb Ryan Hinton :

Hello,

This is a general inquiry for CFML Developers.  I figured I would ask here since this is one of the only main groups I know for CFML Developers.  My apologies if this might be too off topic.

Lately, I have been reading about OAuth 2.0 in an effort to create the OAuth 2.0 Provider side.  However, I am either not looking in the right places on the internet or there simply not much out there for CFML developers to implement the OAuth 2.0 Provider portion.  Everything I am finding related to OAuth 2.0 and CFML is designed for the Client side and I find one Provider in CFML written for OAuth 1.0 in RIAForge.

Would any of you happen to have or can refer to shareable code or references to lead me in the right direction for creating the OAuth 2.0 to implement as a Provider?  Essentially, I need to create the OAuth server for Clients to connect to us.

Thank you for any assistance!
Ryan Hinton

--
You received this message because you are subscribed to the Google Groups "Lucee" group.

To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/5240e878-6298-4c72-b3d1-37ad686b0cf4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Stéphane MERLE]

Hi,

I am setting up a lucee API and was looking for a OAUTH2.0 to securise the calls but find nowhere any tutoriel of library ....
Reading this thread  I still don't get where to start from ...

I am quite new to this Oauth things, and just need to "securise" calls to my app ....

can you provide any help or at least point me to a simple way to use a JAVA tool ?

Thanks !!!

Stéphane

[Risto]

Well Ryan started this thread as a general CFML question not Lucee specific,
so just use Coldfusion - https://www.adobe.com/devnet/coldfusion/articles/social-integration.html

[Stéphane MERLE]

I think I did not explain correctly my objectif .... I don't whant to use 3rd party token but to provide my own tokens as a OAUTH service afterwhat people will use those token in my lucee api ...

2015-10-19 18:06 GMT+02:00 Risto <ck.web...@gmail.com>:

Well Ryan started this thread as a general CFML question not Lucee specific,
so just use Coldfusion - https://www.adobe.com/devnet/coldfusion/articles/social-integration.html

--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---

You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/6KN9Yz5tkTc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/d969d930-d8d8-4516-916f-3a3eb038f0c3%40googlegroups.com.

[Robert Munn]

I think you and Ryan are in the same position. See his note:

— Hi Michael, we are currently implementing a Java version. We are looking between OLTU and CXF, both by Apache.

That is for an oAuth 2.0 provider (server) which would generate its own auth tokens, so if you were running it, other applications could authenticate users through your service.

-- 
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
--- 

You received this message because you are subscribed to the Google Groups "Lucee" group.

To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/a908a3a3-64fc-48c0-83fd-c31a47519a37%40googlegroups.com.

[Harry Klein]

Hi Stephane,

 

please check my old project

http://oauth.riaforge.org/

 

It includes server and client components and samples, but is based on the Core 1.0 specification.

So you would have to update the library to OAuth 2.

 

-Harry

You received this message because you are subscribed to the Google Groups "Lucee" group.

To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CANG-r3qYe9TDjVsG8BF%3DizuPpqvV4HBqQ4dTqmgnwVj%3DA%3DyT7g%40mail.gmail.com.