Eliminate AAA OAuth2 Provider
For the foreseeable past, OpenDaylight AAA development team has
agreed to avoid becoming an IdP. The simple fact is that there
hundreds (if not more) of IdP solutions that are very secure and
have been proved with time. The cost of maintaining an IdP is
extremely high, as the code is not always simple, and requires
highly skilled, security minded developers to maintain.
However, one remenant of IdP currently exists as a part of ODL
AAA, namely the OAuth2 Provider Implementation. The OAuth2
Provider implementation allows users to derive scoped access
tokens in order to access the controller without using plain
credentials. Part of OAuth2 inherently also provides easy
revocation of tokens.
However, this begs the question, are we an IdP at this point?
The preferred security model would be to delegate to an external,
third-party OAuth2 Provider, since many exist and are readily
available for federation. This would limit the scope to
client-only for AAA. This is preferred since AAA should not
be responsible for generation and revocation of tokens. The
existing implementation utilized Apache OLTU, which has now
been retired to the Attic.
This patch favors removing unmaintained, possibly vulnerable
security code over maintaining OAuth2 backwards compatibility.
The functionality is not being replaced for two reasons:
1) we strive not to act as and IdP
2) most other OAuth2 provider solutions are spring-security based,
and are fairly difficult to use from non-spring contexts.
JIRA: AAA-173
Change-Id: I090014771b2f345cedc0330738b15b18684e1fcf
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>