I would like to propose a new member of fos/oauth2server team

[alanbem]

Hi,

as lately I can't fulfill all my responsibilities as our oauth2 repos maintainer I would like to propose @Spomky as a new member of oauth2 family :)

He proved himself as more than capable of taking care for these repositories. I'm sure he would be a great addition to FOS team.

[stof]

Is he maintaining his own OAuth bundle in parallel ?

[alanbem]

Well, yeah.. this is why @Spomky is perfect for this job - he got knowledge and experience.

[alanbem]

Gentlemen, is there any kind of procedure to perform in order to accept @Spomky as a new team member? Voting maybe?

[stof]

yes, voting.

Btw @Spomky, what do you think about becoming a maintainer ? I think your mind is interesting as well on this question :smile:

[Spomky]

Hi all,

You are right @stof, I created my own OAuth2 library and Symfony Bundles. These projects are still in active development. I decided to create them because the oauth2-php lib is only compliant with an old draft, is difficult to maintain and new features cannot be included without BC breaks. @alanbem suggested to create decoupled projects based on interfaces. That is what I aim to do.

As @alanbem said, I am really involved in the oauth2-php and FOSOAuthServerBundle projects. Even if I created my own projects, I still contribute to them. That is why he asked me to be part of your team and I am interested in becoming a member and a maintainer of these projects.

The only thing that makes me doubt is that I do not work in a IT company like many of you. I learned everything by myself and I certainly have some gaps compared to @alanbem and the work he does for these projects.

[alanbem]

@Spomky, no worries - this is what code reviews are for :) Im still gonna be there.

[merk]

If Spomky is to be added as a maintainer I'd like to see his work folded into new versions of the FOS bundle and libraries even if there are BC breaks.

There is not much point maintaining multiple libraries and bundles, one set should be deprecated in favour of the other.

Nothing wrong with us bumping major versions.

[alanbem]

[...] I'd like to see his work folded into new versions of the FOS bundle and libraries

@Spomky what do you think?

[Spomky]

Hi all,

@merk you are right, there is no need to maintain multiple projects. If you think my project is a good alternative, it can supersede the current project. For now, it is not mature enough. I still have a lot of work to do. We can consider this later on.

My project has also a different conception. In the current project, there are only one library and its bundle. My project contains multiple libraries: one per component (client manager, access token manager, grant types...) and their bundles. It can not be folded in the current project. It will be easier to maintain if all these components are in a dedicated organization.

[alanbem]

Guys?!? Can we put this thing in motion?

[merk]

I'm happy to add Spomky as a maintainer of the bundle and library - but it sounds like we're pretty much going to deprecate them at some point when his own libraries and bundle reach a certain point.

I'm not sure its worth moving those libraries into the FOS namespace unless we have multiple maintainers here who will help out.

[stof]

Given that there is lot of repos for the set of libraries, it would be better to have an organization dedicated to this project only, grouping all these repos

[merk]

Ping.

I think the best option here is for us to deprecate FOSOAuthServerBundle in favour of the new library when it reaches a point that it can replace the FOS bundle.

[Spomky]

Hi,

I am sorry I needed to have a break for few weeks (the birth of my first child!). At the end of the last year, I sent an email to @alanbem to inform him that I released the first unstable version of the authorization server.

composer create-project Spomky-Labs/OAuth2ServerStandardEdition --stability=dev (DO NOT USE, PROJECT NOT UP TO DATE)

You can not yet protect an API, but the other bundles will be released during the next months. The documentation is still missing, so do not hesitate to contact me if you have some troubles or to report me bugs you could find.

I also created a PHP Jose library. My goal is to add JWT support to this project. This library is still in development, but it already supports all algorithms (signature and encryption) and main components (keys, keysets, compression and so on)

Everybody noted that my project is not just a library and its bundle. I join the opinion of @stof and this project should have a dedicated organization.

Regards.

[Spomky]

Hi all,

8 months after my last post, I would like to share with you the late improvements of my work.

I reorganized all the project as suggested by @stof and I created a modern and flexible PHP library.

At the time of writing, this library provides almost all common functionnalities related to the OAuth2 Framework. I still have to implement RFC7522 (SAML Profile), OpenID Connect protocol and to write the documentation.

I also created a Symfony (2.7+) bundle. Thanks to the Symfony plugin bundle of Matthias Noback, this bundle only enables the components you need and can easily be extended by custom plugins. Example for an authorization server that will only use public clients, implicit grant type and access token revocation:

class AppKernel extends Kernel
{
    public function registerBundles()
    {
        $bundles = [
            new SpomkyLabsOAuth2ServerBundle([
                new PublicClientPlugin(),
                new SimpleStringAccessTokenPlugin(),
                new AuthorizationEndpointPlugin(),
                new ImplicitGrantTypePlugin(),
                new TokenRevocationEndpointPlugin(),
            ]),
            ....
        ];
        return $bundles;
    }

This bundle is suffering from the same issues as the library (SAML Profiles, OpenID Connect and documentation).

In parallel, I work on a plugin to provide annotations, firewall and other security features to easily protect a resource server. Example of annotations:

• @OAuth2(scope="admin", client_type="confidential_client"): only confidential clients using access token with scope admin are allowed
• @OAuth2(resource_owner_public_id="foo", client_public_id="bar"): only client bar using access token granted by foo is allowed

As this project is quite mature, I will be glad if anybody could try it and send me feedback.

[merk]

This looks great! I'm keen to give it a go over the next few weeks. Thanks for the post.

[jayesbe]

Just found this.. awesome. Will give the new bundle a try.

[Spomky]

Hi all,

Approx. 10 months passed since my last message. I just want to share with you the last improvements in the projects I announced earlier.

The Jose suite (library and bundle) is almost complete. You are now able to create and load JWT, whatever the encryption/signature/compression/format are. The doc is not yet fully written, but this issue will be fixed during the next weeks.

This suite is the very important for the OAuth2 one (library and bundle) because it allows you to use JWT in several OAuth2 components such as access tokens, grant types, client assertions or client requests. Now this suite provides all functionalities related to the RFC6749, but also implements functionalities from several RFCs or specification related to the OAuth2 Framework Protocol, including OpenID Connect!

And because good thinks come in pairs, I submitted that OAuth2 suite to the OIDC compliance tool and I get very encouraging results.

Stay tuned for more information.

[dbu]

i assume that this is not relevant anymore. if it is, please open a new issue

[Spomky]

Hi @dbu, You are right this topic can be closed as nothing moved for a while. I created my own organization for all these Authorization/Authentication topics and our respective projects have different approaches.