Are there plans to implement any of the new OAuth 2.0 RFCs? #533
Comments
|
I'm looking into RFC 7523 (and transitively 7521) as this allows for JWT tokens to be exchanged for new ones and might fit a use case I'm working on, where backend resource servers can get new tokens for contacting further backend services by using the token they receive in the request, thereby continuing to propagate the user's identity. Did you have specific use cases around the use of these new standards? |
|
I would also like to now if there are any plans regarding support for new OAuth2 RFCs. In particular, I would be very interested in support for RFC 7522 to allow exchange of SAML assertions for OAuth2 access tokens. |
|
Same for me wrt. RFC 7522. |
|
+1 for RFC 7522. It would be really nice if there was integration with Spring Security SAML. |
|
It's been 6 months since I first posted this issue but there has been no response from Pivotal. Does this mean Pivotal does not have a response or is your silence indicate the life of spring-security-oauth support from Pivotal has run its full course and only user submitted solutions are available? |
|
@dfcoffin: there was a response from Will at the end of December, still a while ago, so I apologise, but nothing like as long as 6 months. We have just hired someone to look after this project, so hopefully the log jam will unjam soon. |
|
@dsyer Thanks for the update. @william-tran I am particularly interested in RFC 7009, RFC 7591, RFC 7592 as I have a requirement to support these in the next upgrade for openESPI (https://github.com/energyos/OpenESPI-Common-java, https://github.com/energyos/OpenESPI-DataCustodian-java, and https://github.com/energyos/OpenESPI-ThirdParty-java) which implements the governments "Green Button Initiative" based on the North American Energy Standards Board (NAESB) REQ.21 which is used by the energy industry to provide customers with energy usage in a human-readable and computer-friendly manner. |
|
Hi, Please somebody respond if Spring framework adheres to RFC 6749 and RFC 6750. Thanks, Shailendra |
|
Yes, AFAIK those are not new RFCs. They are precisely the core OAuth2 spec that is implemented here. Please keep the noise down on this issue and keep it focused on new specs. If you have a question about the core specs ask it somewhere else. |
|
Any hope on 7009? If I implement it on a fork, will my pull request be accepted? |
|
@dsyer @rwinch @william-tran Any update on the projected time frame for supporting RFC 7009, RFC 7591 and RFC 7592 |
|
Work hasn't even started on 2.1.0, so there are no dates in anyone's plans, but we have some people working on this project now at least. If people were to contribute code it would be a good thing. |
|
@william-tran Any progress on RFC7523? |
|
This spec may take the place of RFC-7523:
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07, and while
there's no planned work to support either specs, I would hope that the new
version of Spring Security OAuth will allow for extensibility of
AccessTokenProviders like the current version.
…On Wed, Apr 26, 2017 at 8:35 AM, Sean Dukehart ***@***.***> wrote:
@william-tran <https://github.com/william-tran> Any progress on RFC7523?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#533 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABCMGTpfw4_ix_HyadW7Hildb0qi8vxwks5rz2Q_gaJpZM4FaCL8>
.
|
|
MAY, but for now, RFC-7523 is used. Also what's with RFC-7009? |
|
So is there any WIP implementations or just plans for these oauth2.0 specs now? |
|
Hello @dsyer @rwinch @william-tran, are there any examples on how to use JWT Profiles using Spring? (RFC-7523) or https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07 Any pointers in that direction will be great. |
|
@myspri JWT Profile or Token Exchange has not been implemented within the framework. We are also limiting new features and only providing bug fixes and minor enhancements. Our efforts are heavily focused in the new OAuth 2.0 / OpenID Connect 1.0 support coming in Spring Security 5.0. |
|
Thanks @jgrandja for the quick feedback. Sorry, this may not be the right location to post this, but any guidance on this top is extremely valuable. |
|
@jgrandja, thank you so much! |
|
@myspri There are quite a few other higher priority items that need to be completed first. I don't have a timeline on when this feature will be added but not for at least a couple of months. I'm not sure it will get into 5.0 as Nov is fast approaching and there is quite a bit of work left to do. |
|
Okay, thanks. |
|
+1 for RFC 7522 and RFC 7523 - UAA supports these from the Authorization Server side for Cloud Foundry, and client-side support would enable app developers to begin consuming these flows. |
|
@tnwang We will consider implementing RFC 7522 and RFC 7523 in Spring Security 5.x. Would you like log an issue in the Spring Security repo for these? |
|
Sure, opened spring-projects/spring-security#4906 |
|
@jgrandja what about RFC7009, are there any plans/ticket to track it or it has been discarded/not yet considered? |
|
@iagotomas Thanks for the heads up! I added spring-security/6133 |
|
any update on RFC 7522 (OAuth 2.0 SAML Bearer Assertion Flow) |
Are there plans for Pivotal to implement any of the following IETF RFCs:
Authentication and Authorization Grants
Authorization Grants
I realize the IETF status of the above are "Proposed Standard" or "Experimental" but so are the following IETF standards, which are currently supported by Spring Security OAuth:
If Pivotal does not plan to implement any of the new OAuth 2.0 RFCs, what is your recommendation for having support for the new OAuth 2.0 RFCs added to the Spring Security OAuth framework?
The text was updated successfully, but these errors were encountered: