Welcome to another edition of the JBoss Weekly Editorial where we bring you up to speed with all that has been happening across the JBoss Communities.
Is Oauth2 secure enough ?
This week, we have debated a lot around Oauth2 after the publication of this post "Introducing TAuth: Why OAuth 2.0 is bad for banking APIs and how we're fixing it". This article suggests that OAuth2 is broken because client authentication is not strong enough. But as mentioned by Stian Thorgersen, there is nothing which prevent to authenticate the client using just an id and secret but any http based authentication mechanism (Basic, Digest) is permitted. Moreover, it is important when the architect designs the solution that he/she reviews the different possibilities offered to reenforce the security of the platform like mutual TLS, Token Expiration, Token introspection to intercept and revoke the client if required. Oauth2 like TLS and SSL are sometimes complex to use or to position correctly within a project and this is the reason why we are working hard to develop the project Keycloak in order to simplify the management of such SSO Architecture !
- Healthcare Demo by Christina Lin using Camel, HLT Dataformat & Mciroservices technology