Implement Authorization server
2h - Account Management - probably we don’t have to do it - already reuse
4h - implement authorize endpoint (only implicit grant type is necessary)
4h - implement token endpont
Implement Resource Server
2h - find out how to combine with the current cookie authentication
- a) switch everything to OAUTH
- b) combine - preferable approach (set session cookies only to non-CORS headers), all other applications has to have OAUTH tokens.
- c) make it configurable on page basis?
4h - implement chosen solution
4h - set properly CORS (cross origin request) headers
0-8h Tuning, obstackles
Overall estimate: 20-28MH