oltu-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Sanso <asa...@adobe.com>
Subject Fwd: Validation Access Token Oltu (Oauth 2.0) Framework
Date Fri, 18 Mar 2016 13:12:08 GMT

Begin forwarded message:

From: Antonio Bosco <boscus.now@gmail.com<mailto:boscus.now@gmail.com>>
Subject: Validation Access Token Oltu (Oauth 2.0) Framework
Date: March 17, 2016 at 11:37:38 AM GMT+1
To: asanso@apache.org<mailto:asanso@apache.org>

Hi, I’m Antonio,
in advance, thanks for the work you made with the Oltu Framework. I just have some questions
about the features provided by the framework, and I’ll appreciate your help.

I need to create a system login, implementing Oauth 2.0, and I choose to use your framework.
In my system login, I need my own Authorization server, endpoint token and resource owner
and my resource owner that should validate my user credentials. Futhermore I need to integrate
my system login with other login systems provided by the social companies (e.g. Facebook,
Google…) implementing the Oauth 2.0.

That said, I will list you the next questions:

1) When I create my “resource owner” that validates my user credentials, what type of
grant should I pass to the “Authorization server” and the “Token Endpoint”? I mean,
in the “Authorization Server” example there is a line of code in which is written:


What does they mean? Does this line of code get the grant by resource owner to validate the
user? Or if not, what doeas it mean?
And about “Token Endpoint”, what do these lines of code do?

 String authzCode = oauthRequest.getCode();

That said, if none of the previous lines of code validate the grant passed by “resource
owner” after the user passed his credentials, where I should validate it?

2) This question is about the "resource server”:
there is a comment (reported below), where it says to validate “access token”.

// Get the access token
String accessToken = oauthRequest.getAccessToken();
//... validate access token

How should I validate this? I mean, in assumption I could have different type of access tokens
related to my own login system, and social ones like google, facebook and so on, how may I
discriminate between each others and validate them?
My major interest is to understand how to retrieve the access token of my own system to validate
the one passed by the client. Is there any methods in your framework that is made to do this?
Or I just should write it from scratch?

3) The third question is about the “Client Quickstart”. If I need to make a Oltu request
to my login system, what should I insert in client Id?
How should I generate it? In a social login I will use the one provided by the company in
the developer tools. For my own system, how should I do?

My questions are terminated.
Thanks for your support in advance,
best regards,
Antonio B.

ps: I noticed your name is like mine, so I could suppose you are italian like me, If so, feel
free to replay back in italian.

View raw message