B4J Question OAuth2 Authorization Server in B4J

[avalle]

I need to implement an OAuth2 Authorization Server in B4J but I only seem to find threads on client implementations (e.g. B4J which authenticate to public OAuth services like Google or Facebook).

Is there anyone who has done or tried this already and want to share some ideas, starting points, code snippets?

Thanks
Andrea

 

[davidvidasoft]

Why are you thinking of implementing it in the server-side?

 

[avalle]

I'm implementing a REST API webservice and I need to implement the authorization server to provide OAuth 2.0 authorization to calling clients.
More or less like any public API which is using OAuth for authorization.
As I'm developing the REST API with B4J I'd like the authorization server to be developed with it as well.

https://github.com/authlete/java-oauth-server is a good example, but I have no experience of converting a Java project to a library for B4J.

 

[keirS]

Unless you have some really specific requirements I would use a third party provider like Auth0

 

[OliverA]

https://github.com/authlete/java-oauth-server is a good example

I don't think that is what you think it is. It still uses 3rd party (authlete) for the database backend.
Quoted from that link:

This implementation is DB-less. What this means is that you don't have to have a database server that stores authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications. This is achieved by using Authlete as a backend service.

Authlete is a cloud service that provides an implementation of OAuth 2.0 & OpenID Connect (overview). You can easily get the functionalities of OAuth 2.0 and OpenID Connect either by using the default implementation provided by Authlete or by implementing your own authorization server using Authlete Web APIs as this implementation (java-oauth-server) does.

See this post for the Apache project that my be more in line in what you are trying to do. (https://stackoverflow.com/a/17004631)

Update: Security is hard...

 

[Erel]

Not sure that I understand. Do you want to access your own account or the clients accounts?

 

[avalle]

@Erel The link provided by OliverA explains exactly what I need. I'm providing a web service with REST API written in B4J and I need to implement an OAuth 2.0 authorization server to grant users an access token to perform their API calls to my service.

@OliverA is correct, Apache Amber (Oltu) seems like the right project I need.
However I need guidance or help to port it to B4J.

 

[keirS]

@Erel The link provided by OliverA explains exactly what I need. I'm providing a web service with REST API written in B4J and I need to implement an OAuth 2.0 authorization server to grant users an access token to perform their API calls to my service.[

Why do you need to use OAuth 2? You could use API Keys and HMAC for authentication. This will be far simpler to do in B4J then implementing OAuth 2.

 

[avalle]

Well, mainly for 2 reasons:

• The requirement is that to be designed for human authorization. OAuth does that, while API Keys are more suitable for machine authorization.
• It's a standard implementation, so the client will know what they need to do, and may use existing code/libraries on their side.

 

[keirS]

Well, mainly for 2 reasons:

• The requirement is that to be designed for human authorization. OAuth does that, while API Keys are more suitable for machine authorization.
• It's a standard implementation, so the client will know what they need to do, and may use existing code/libraries on their side.

Got you. From you description of what you wanted it seemed be server to server authentication or application to server authentication rather than user authentication. I would still recommend using a third party provider. I use Auth0 which is free for up to 7,000 users.

 

[avalle]

Thanks keirS.

It's an application to service scenario with human beings driving the authorization process.
I wanted to explore BJ4 also for educational purpose (I've learned a lot while implementing the web service itself) but will look into Auth0.