• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Does OAuth 2.0 makes sense for our project

 
Ranch Hand
Posts: 162
1
Android Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Java Ranchers

I am working in a financial Project wherein we have the following components

1. Web Services Exposed.
2. Consumer for these web Services which provide UI to the end-users .

We are currently using OAuth 2.0 , but after reading about OAuth 2.0, I feel that we do not actually require OAuth 2.0 in our case due to following reasons

1. Since Our API's are not exposed to public (Like facebook and twitter) , they are only meant for the Consumers we will built, we can have just CLIENT_ID and CLIENT_SECRET embedded in UI component (Server Side), which will suffice the security.

2. We can restrict our API's to be accessible only when REQUEST will carry CLIENT_ID and CLIENT_SECRET.


Suggestions !!!

Thanks and Warm Regards
 
Sangel Kapoor
Ranch Hand
Posts: 162
1
Android Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Also, How to make ensure that the User is accessing its own resource and not others. What is the standard way of solving this issue ?
 
Ranch Hand
Posts: 112
3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am not aware of any standard way to approach this issue. I am in a similar situation though. The approach I took was to use HTTP Basic through TLS, which is about as easy and simple as it gets. As I develop a security authorization model for my client then I might use Spring's OAuth 2 framework if it makes getting a list of GrantedAuthority objects easier than me writing my own security infrastructure.


Here is an interesting rule from the www.securecoding.cert.org website on OAuth: MSC10-J. Do not use OAuth 2.0 implicit grant (unmodified) for authentication
 
It's weird that we cook bacon and bake cookies. Eat this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic