We need to implement an authentication/autorisation web service and I am not sure if we should use the Oauth protocol in our situration.
The background of the story:
We have some J2EE web applications in a jboss server. Authentication and authorisation of the applications are implemented by JAAS and deployed in this jboss server.We want to add some new web applications that are implemented in other languages and deployed in other servers. To re-use the authentication/autorisation mechanism in the jboss server, we need to implement authenication/authorisation web services for the new applications.
So here comes some thoughts:
Is it necessary to adapt the OAuth protocol for the authentication/autorisation web service ?
As I know, OAuth2 is use to grant access to functionality, user's data, etc.. without giving the password to the 3rd party app. This is not really our case as we actually own all the applications, although that the newly apps are not in the authentication server.
Another choix is to implement the login webservice et then return the new apps a ticket/token to use later.
In another way, with OAuth protocol, newly apps do not involve in user's login/passwords, which seems to be nice...
Do you have some ideas ?
OAuth works on the concept of "ResourceOwners (Which gets the user credentials and enables the client's access to the server's apis)", "Server (owner of the resources) and the "clients (who want access to the server resources but doesn't have access to the credentials).
OAuth is just one way of providing security to the resources which means it is not necessary to have it for all "authentication/autorisation".
In your case I dont think there is a need of full fledged 3-legged OAuth however you can still go ahead with 0-legged OAuth or some other approach. Also, I don't understand what did you mean by "newly apps do not involve in user's login/passwords" as this is completely composite to what OAuth is meant for. User generally provide the credentials when they login into the app and then that login call ensures that the clients have access to the server resources.
If you just want to "return the new apps a ticket/token to use later" then OAuth is not for you as it is more than just providing the token for later use. Also, token in OAuth is for server's api access.