The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

Antonio Sanso (11) [Avatar] Offline
#1
Welcome, OAuth 2 in Action readers! We’re very excited about this book, and look forward to hearing from you about it. We will be more than glad to help you out should you have any question about the book, and about OAuth in general. We would like to also thank you in advance for helping us find mistakes in the book, and generally making it better for all readers.

Feel free to also use this space to discuss the code exercises, which are available in GitHub (https://github.com/oauthinaction/oauth-in-action-code).

Kind regards and happy reading,

Antonio and Justin
Anonymous (122) [Avatar]
#2
Can you talk a bit about your choice/concept of software stack for the book? From the GitHub repository, it looks like you're using JavaScript on the server and client side (including iOS via Cordova). Is this because you plan to teach the concepts more than the code in any specific language? Will you be discussing libraries like Doorkeeper, OmniAuth (on the Rack/Rails side), etc?
Anonymous (122) [Avatar]
#3
Anonymous wrote:Can you talk a bit about your choice/concept of software stack for the book? From the GitHub repository, it looks like you're using JavaScript on the server and client side (including iOS via Cordova). Is this because you plan to teach the concepts more than the code in any specific language? Will you be discussing libraries like Doorkeeper, OmniAuth (on the Rack/Rails side), etc?


Same question but: Is there going to be Java on the server side?

Thx
Anonymous (122) [Avatar]
#4
Hi, this is a really good question. And you got the point.
We indeed used Node.js and Express because is really easy to setup and follow the examples. We want indeed to focus on OAuth 2.0 per se and not stick on any framework and/or language.
All concepts in the examples should be readily portable to other platforms and application frameworks (e.g. Doorkeeper, OmniAuth)
Antonio Sanso (11) [Avatar] Offline
#5
Hi, this is a really good question. And you got the point.
We indeed used Node.js and Express because is really easy to setup and follow the examples. We want indeed to focus on OAuth 2.0 per se and not stick on any framework and/or language.
All concepts in the examples should be readily portable to other platforms and application frameworks (e.g. Doorkeeper, OmniAuth)
stephenc (22) [Avatar] Offline
#6
Thanks. Also decloaking my anonymity with my follow-up.

Then I'd like an appendix detailing frameworks for different languages with their advantages and disadvantages. For example, in Doorkeeper, the user either accepts or doesn't accept a strategy when redirected to the server (if given the option at all). I don't know if that's something from OAuth 2 or Doorkeeper's simplified approach to OAuth 2 that may theoretically allow one to choose from multiple strategies: (1) share my name and email; (2) share my email only; (3) share email and let them post as me; etc. Even just an Appendix that lists what's out there might be useful.

Also an Appendix on other resources out there including conference videos and Github repositories. I recently came across a fantastic talk at RailsConf 2014 by Jeremy Green entitled Service Oriented Authentication on how to build a full stack OAuth 2 solution including a client gem. I would like a one-stop shop for finding resources like that and others that I might have missed. Being a MEAP book, it's the kind of thing readers can contribute to during its writing.




Anonymous (122) [Avatar]
#7
Pardon my ignorance, but I didn't see OpenId mentioned and I looking at sites such as https://developers.google.com/identity/protocols/OpenIDConnect leave, and I'm sure many others puzzled, about the relation between OAuth 2.0 and OpenId. Is there a mention of OpenID, and perhaps other related standards, too?
Antonio Sanso (11) [Avatar] Offline
#8
hi, about Open Id Connect (http://openid.net/connect/)

we cover quite extensively the topic in Chapter 13. User Authentication with OAuth 2.0
Antonio Sanso (11) [Avatar] Offline
#9
Other standards we cover are in Chapter 14

14. Protocols and profiles using OAuth 2.0

14.1. User Managed Access (UMA): a standard for consent and policies
14.2. HEART: a family of standards for high security and high interoperability for healthcare APIs
Anonymous (122) [Avatar]
#10
Thanks (I'm Anon 105). Looks like a book I'll buy. smilie
Justin Richer (58) [Avatar] Offline
#11
stephenc wrote:Thanks. Also decloaking my anonymity with my follow-up.

Then I'd like an appendix detailing frameworks for different languages with their advantages and disadvantages. For example, in Doorkeeper, the user either accepts or doesn't accept a strategy when redirected to the server (if given the option at all). I don't know if that's something from OAuth 2 or Doorkeeper's simplified approach to OAuth 2 that may theoretically allow one to choose from multiple strategies: (1) share my name and email; (2) share my email only; (3) share email and let them post as me; etc. Even just an Appendix that lists what's out there might be useful.


Great feedback. We'll cover some of these concepts in chapters 4 and 5 when we go into depth on how to build the authorization server and protected resources. Whether to give the user choice over which scopes to uncheck is totally up to the AS, and our little implementation will step you through the case of handling that scope deselection properly. You can simplify it by just making it an approve/deny, as in the library you're mentioning and in the implementation that Google uses. Once we have these chapters available, we'd love feedback on whether we're covering this concept appropriately.

stephenc wrote:Also an Appendix on other resources out there including conference videos and Github repositories. I recently came across a fantastic talk at RailsConf 2014 by Jeremy Green entitled Service Oriented Authentication on how to build a full stack OAuth 2 solution including a client gem. I would like a one-stop shop for finding resources like that and others that I might have missed. Being a MEAP book, it's the kind of thing readers can contribute to during its writing.


A good current resource (that you can also contribute to) is http://oauth.net/code/ which will of course generally be more up to date than a book ever will be. That said, I don't think it's necessarily a bad idea to include a snapshot reference in the book, so we'll look into that possibility.
Anonymous (122) [Avatar]
#12
Compare to RFC6749?
As someone who has read RFC 6749 before reading this book, I would like to have seen a stronger nod to the RFC in the introduction or elsewhere in order to emphasize the "in Action" elements of this book and how it compares to just reading the spec itself.

I think this would also be useful for the inverse, i.e. for people who come to this book first before reading the RFC, describe a little more about the specs being the authoritative source of the protocol and how this book complements that.

The only reference to the RFC I see is at the end of page 3, which I think could be elaborated much more to address both of the situations above.
Anonymous (122) [Avatar]
#13
hi,

thanks for your comment about the RFC comparison. We will definitely take it on board!
Antonio Sanso (11) [Avatar] Offline
#14
hi,

thanks for your comment about the RFC comparison. We will definitely take it on board!
Anonymous (122) [Avatar]
#15
Hi,

What's the estimated timeline for each chapter?

Thanks

Fred
Justin Richer (58) [Avatar] Offline
#16
Anonymous wrote:

What's the estimated timeline for each chapter?



We've got about 3/4 of the book written in draft form at the moment, so it's a matter of editing and production for much of the content. We will be releasing chapters to the MEAP as they are ready.
243900 (3) [Avatar] Offline
#17
Hi:
I find that testing oauth applications on a local installation to be a bit challenging. Does your book cover this? I feel that the setup is too cumbersome for local development.
Thanks.
Justin Richer (58) [Avatar] Offline
#18
243900 wrote:I find that testing oauth applications on a local installation to be a bit challenging. Does your book cover this? I feel that the setup is too cumbersome for local development.


I'm not quite sure what you're asking -- do you mean doing OAuth development on a localhost environment? If that's the case, then all of our exercises are designed to run on localhost so you'll have plenty of examples working in that space. We are trying to cover some of the differences between a development environment, as presented in the book, and a production environment, what you'd actually want to deploy, throughout the book.
Andreas Falk (6) [Avatar] Offline
#19
Hi,
do you also consider using SAML tokens together with OAuth in your book?
Justin Richer (58) [Avatar] Offline
#20
We will be mentioning that SAML can be used as the token content but we will not be covering it in any depth. We will be covering JWT in some depth.