#aerogear Meeting

Meeting started by abstractj at 14:00:38 UTC (full logs).

Meeting summary

  1. Security (abstractj, 14:00:52)
    1. The goal of this meeting is to define the next 3 months for security on AeroGear — currently most of the tasks on security emerge on demand, abstractj would like to go from reactive to proactive mode (abstractj, 14:00:52)
    2. Nothing here is mandatory if you don't want to work on it, that's ok. Most of the topics are open for discussion. (abstractj, 14:00:52)
    3. If your team don't have bandwidth for it right now, abstractj is self volunteering. (abstractj, 14:00:52)
    4. JIRA reference (abstractj, 14:00:52)
    5. https://issues.jboss.org/browse/agsec (abstractj, 14:00:52)
    6. abstractj's suggestion: do not duplicate tasks between Jiras, only include the "macro" task and create links to your project. We used to do that in the past and worked well (abstractj, 14:00:54)
    7. Example (abstractj, 14:00:55)
    8. https://issues.jboss.org/browse/AGSEC-147 (abstractj, 14:00:56)
    9. We can have more meetings at each 15 days, if the team think it's healthy to the project (abstractj, 14:00:58)
    10. Let's try to make it quick and move all the long discussions to the ML or hangouts (abstractj, 14:01:00)
    11. AGREED: (corinnekrych, 14:02:12)
    12. AGREED: (summersp, 14:02:20)
    13. AGREED: (passos, 14:02:26)
    14. AGREED: (lfryc, 14:02:34)
    15. AGREED: (cvasilak, 14:02:38)
    16. AGREED: (sblanc, 14:02:42)
    17. the security meeting will happen 2 weeks from now (abstractj, 14:04:39)
    18. same time, same day (abstractj, 14:04:49)

  2. Android (abstractj, 14:05:26)
    1. Summersp wants to eventually bring keycloak-android-adapter into authz package (passos, 14:06:53)
    2. summersp started the work around Keycloak (passos, 14:06:53)
    3. https://github.com/secondsun/keycloak-android-authenticator (passos, 14:06:53)
    4. https://github.com/secondsun/keycloak-account-authenticator-demo (passos, 14:06:53)
    5. Android cookbook has a demo at the cookbooks (passos, 14:06:53)
    6. https://github.com/danielpassos/aerogear-android-cookbook/tree/GDrive/GDrive (passos, 14:06:55)
    7. abstractj is considering to annoy summersp and start to extract the source code from his repository to *-auth module on Android (passos, 14:06:56)
    8. Android needs a way of importing keys/certs to handle self signed/unsigned https request. No ideas yet; needs to be scheduled and jira'd (passos, 14:06:57)
    9. ACTION: abstractj is looking at this. Also it will be fixed with cert pinning later, but not a high priority (passos, 14:06:58)
    10. aerogear-android-security library will be getting the 2.0 treatment soon. (Registrations API is all that is left) (passos, 14:06:59)
    11. Android OS provides some keychain tools which we should investigate (passos, 14:07:00)
    12. http://developer.android.com/reference/android/security/KeyChain.html (passos, 14:07:01)
    13. abstractj thinks that Keychain might not be a good idea, because its usage is for system-wide credentials (passos, 14:07:03)
    14. https://developer.android.com/training/articles/keystore.html#WhichShouldIUse (passos, 14:07:04)
    15. We started a PoC for offline (passos, 14:07:05)
    16. github.com/danielpassos/aerogear-android-offline (passos, 14:07:06)
    17. https://github.com/danielpassos/aerogear-android-offline-demo (passos, 14:07:07)
    18. AGREED: :-p (summersp, 14:07:20)

  3. iOS (abstractj, 14:15:03)
    1. iOS2.0 release main focus on oauth2 (corinnekrych, 14:15:31)
    2. https://issues.jboss.org/browse/AGIOS-263 (corinnekrych, 14:15:31)
    3. 2.1 for the missing bits: (corinnekrych, 14:15:33)
    4. direct grant (resource owner grant) AGIOS-277 (corinnekrych, 14:15:35)
    5. https://tools.ietf.org/html/rfc6749#section-4.2 (corinnekrych, 14:15:36)
    6. confidential client (corinnekrych, 14:15:37)
    7. https://tools.ietf.org/html/rfc6749#section-4.3 (corinnekrych, 14:15:39)
    8. openid connect (on top of authz code) (corinnekrych, 14:15:40)
    9. http://openid.net/connect/ (corinnekrych, 14:15:40)
    10. keycloak sdk for OAuth2 what are the missing flows? (corinnekrych, 14:16:28)
    11. http://lists.jboss.org/pipermail/keycloak-dev/2014-October/002763.html (corinnekrych, 14:16:28)
    12. OAuth2 demo app with its keycloak backend (corinnekrych, 14:16:30)
    13. http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-OAuth2-demo-app-let-s-use-Shoot-nShare-td9305.html (corinnekrych, 14:16:31)
    14. https://issues.jboss.org/browse/AEROGEAR-1518 (corinnekrych, 14:16:31)
    15. aerogear iOS 2.2 release - planned for November - to cover: (corinnekrych, 14:19:39)
    16. crypto in Swift (corinnekrych, 14:19:39)
    17. https://issues.jboss.org/browse/AGIOS-256 (corinnekrych, 14:19:41)
    18. KeychainWrapper in crypto (for now first version in oauht2 lib) (corinnekrych, 14:19:43)
    19. https://issues.jboss.org/browse/AGIOS-103 (corinnekrych, 14:19:44)
    20. offline authentication & touchID (corinnekrych, 14:19:45)
    21. http://corinnekrych.blogspot.fr/2014/09/touchid-and-keychain-ios8-best-friends.html (corinnekrych, 14:19:46)
    22. http://corinnekrych.blogspot.fr/2014/09/authenticate-with-touchid.html (corinnekrych, 14:19:47)

  4. JavaScript (corinnekrych, 14:20:38)
    1. considering Authz adapter for Keycloak (lholmquist, 14:20:43)
    2. https://issues.jboss.org/browse/AGJS-213 (lholmquist, 14:20:43)
    3. Chrome 37(stable) now supports crypto.subtle and all major browsers on in dev (lholmquist, 14:20:43)
    4. would be nice to revist this (lholmquist, 14:20:45)
    5. https://www.chromestatus.com/feature/5030265697075200 (lholmquist, 14:20:47)
    6. ACTION: lfryc investigate kc.js to check the supported workflows and how to add adapters for it as well (abstractj, 14:23:36)
    7. AGREED: (matzew, 14:23:45)
    8. AGREED: (abstractj, 14:24:36)
    9. http://lists.jboss.org/pipermail/keycloak-dev/2013-August/000329.html (lfryc, 14:25:57)

  5. Cordova (abstractj, 14:27:35)
    1. allow to delegate Authz code to native impls (abstractj, 14:28:02)
    2. WIP by edewit on ios oauth2 plugin (abstractj, 14:28:02)
    3. https://github.com/edewit/aerogear-cordova-cookbook/tree/swift-oauth2-plugin (abstractj, 14:28:02)
    4. AGREED: (sblanc, 14:28:18)
    5. AGREED: (matzew, 14:28:32)

  6. UnifiedPush (abstractj, 14:31:19)
    1. revisit single admin user. mailing list thread has been started with links to specs/JIRAs (matzew, 14:31:42)
    2. http://lists.jboss.org/pipermail/aerogear-dev/2014-October/009237.html (matzew, 14:31:42)
    3. admin role: only one user in the system with that role; the admin sees apps/variants of all users + access to keycloak console (matzew, 14:32:06)
    4. developer: possible to have multiple 'developers'; each developer sees only his own apps/variants + NO right to access keycloak console (matzew, 14:32:06)

  7. SimplePush (matzew, 14:33:50)
    1. Nothing at the moment and I think the other projects are of higher priority. (dbevenius, 14:33:54)
    2. AGREED: (abstractj, 14:34:02)

  8. Ideas by priority (dbevenius, 14:34:08)
    1. AGREED: (cvasilak, 14:34:08)

  9. Ideas by priority (abstractj, 14:34:29)
    1. The following priorities where based on repositories and discussions on the mailing list. Plus, ideas discussed during our F2F (abstractj, 14:34:45)
    2. 1. User management on UnifiedPush server (abstractj, 14:34:45)
    3. 2. SDKs for OAuth2 plus integration with Keycloak (abstractj, 14:34:45)
    4. 3. Offline authentication (abstractj, 14:34:45)
    5. 4. Revisit our crypto API (abstractj, 14:34:46)
    6. 5. Data synchronization (abstractj, 14:34:47)
    7. 6. Certificate pinning to all SDKs (abstractj, 14:34:48)
    8. 7. Two factor authentication with Push messages (abstractj, 14:34:49)
    9. 8. Device blacklisting (abstractj, 14:34:50)
    10. 9. Social login (abstractj, 14:34:51)
    11. 10. Biometrics authentication (abstractj, 14:34:52)
    12. The goal is to focus on the first 2 itens if possible and once we stabilize it, move to the next 2 (it pretty much depends on the scope) (abstractj, 14:34:53)
    13. Note: Just agree or disagree if your sanity see this priority list as something correct. If we're fine with it, let's focus on the first 2 topic (abstractj, 14:34:54)
    14. AGREED: (sblanc, 14:35:19)
    15. AGREED: (summersp, 14:35:36)
    16. AGREED: (passos, 14:35:37)
    17. AGREED: (cvasilak, 14:35:53)
    18. AGREED: (lfryc, 14:37:00)
    19. AGREED: (lholmquist, 14:37:05)

  10. User management on UnifiedPush server (abstractj, 14:38:24)
  11. User management on UnifiedPush server (abstractj, 14:38:37)
    1. the flow will be discussed into the mailing list (abstractj, 14:38:37)
    2. AGREED: (matzew, 14:38:46)

  12. SDKs for OAuth2 plus integration with Keycloak (abstractj, 14:39:46)
    1. Jira reference (abstractj, 14:39:57)
    2. https://issues.jboss.org/browse/AGSEC-180 (abstractj, 14:39:57)
    3. The team is doing an amazing progress showcasing OAuth2 at cookbooks (abstractj, 14:39:57)
    4. Altought, for developers getting started with OAuth2 is a bit confuse (abstractj, 14:39:57)
    5. ACTION: abstractj Revamp the AeroGear Security page with the authentication methods supported, crypto algorithms plus references to the specific projects about how to get started. As well information about which flows we support for OAuth2 (abstractj, 14:39:57)
    6. https://gist.github.com/abstractj/04136c6df85cea5f35d1 (abstractj, 14:39:58)
    7. Open question: Should we provide separated SDKs for OAuth2 (for Keycloak, Node.js servers...) and OpenID connect (for Facebook, Google...)? Or let's put everything into *-auth and revisit later? (abstractj, 14:39:59)
    8. AGREED: (lholmquist, 14:41:14)
    9. SDKs for FB and Google are low priority on AeroGear yay/nay? (abstractj, 14:41:50)
    10. AGREED: (passos, 14:42:05)
    11. we should focus on the OAuth2 workflows to keep our APIs aligned an later on integrate with KC. Correct? (abstractj, 14:42:36)
    12. AGREED: (lholmquist, 14:44:09)


Meeting ended at 14:46:36 UTC (full logs).

Action items

  1. abstractj is looking at this. Also it will be fixed with cert pinning later, but not a high priority
  2. lfryc investigate kc.js to check the supported workflows and how to add adapters for it as well
  3. abstractj Revamp the AeroGear Security page with the authentication methods supported, crypto algorithms plus references to the specific projects about how to get started. As well information about which flows we support for OAuth2


Action items, by person

  1. abstractj
    1. abstractj is looking at this. Also it will be fixed with cert pinning later, but not a high priority
    2. abstractj Revamp the AeroGear Security page with the authentication methods supported, crypto algorithms plus references to the specific projects about how to get started. As well information about which flows we support for OAuth2
  2. lfryc
    1. lfryc investigate kc.js to check the supported workflows and how to add adapters for it as well


People present (lines said)

  1. abstractj (140)
  2. corinnekrych (71)
  3. matzew (49)
  4. passos (38)
  5. summersp (31)
  6. jbossbot (21)
  7. lholmquist (20)
  8. sblanc (17)
  9. lfryc (16)
  10. jbott (16)
  11. aerobot (9)
  12. edewit (6)
  13. dbevenius (4)
  14. cvasilak (4)
  15. qmx (0)
  16. kpiwko (0)
  17. balunasj (0)


Generated by MeetBot 0.1.4.