[jboss-as7-dev] [Resteasy-users] OAuth2 example - different roles per REST Method
Heiko Braun
hbraun at redhat.com
Wed Apr 17 02:49:58 EDT 2013
Have you considered http://oltu.apache.org for the oauth2 support? I think we have committers on that already (jfclere)..
On Apr 16, 2013, at 8:32 PM, Bill Burke <bburke at redhat.com> wrote:
> Yeah, I don't have time to work on this now. You'd have to post both
> user id, client id, and credentials of both. It would work similarly to
> the oauth example. You'd use the role mapping for the client-id to
> filter the ones from the user role mappings. To do this you'd do a
> double internal login for the user/client to get their perspective role
> mappings. If I'm making any sense....
>
> You'd add a new method modified on the tokenGrant() method contained in
> this file:
>
> https://github.com/resteasy/Resteasy/blob/3.0-beta-4/jaxrs/security/skeleton-key-idm/skeleton-key-as7/src/main/java/org/jboss/resteasy/skeleton/key/as7/OAuthAuthenticationServerValve.java
>
> BTW, this is ugly-ass code. Its very hacky. At the time, it seemed
> like the only way I could do this and leverage JBoss's existing security
> infrastructure.
>
> On 4/16/2013 2:20 PM, Doug Schnelzer wrote:
>> That's exactly what we want to do. Could we take what is available in
>> the current implementation and put something together? I'm happy to
>> work on it. A pointer in the right direction would be great.
>>
>> Thanks, Doug
>>
>> On Tue, Apr 16, 2013 at 2:15 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> So you want to specify user, client-id, and their credentials and get
>> back a token that is limited to what the client-id is allowed to get?
>> All in one request? I don't have an API for this at the moment.
>>
>> On 4/16/2013 11:50 AM, Doug Schnelzer wrote:
>>> So continuing to peel back the onion... and getting somewhere...
>>>
>>> Thanks for the pointers. I re-read the docs especially around
>>>
>>>
>> http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454
>>>
>>> I noticed that the commerce-roles.properties for the current OAuth2
>>> examples has the following:
>>>
>>> bburke at redhat.com <mailto:bburke at redhat.com>
>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>=user,products
>>> admin=admin
>>> customer-portal=login
>>> product-portal=login
>>> third-party=oauth,*
>>>
>>> I see that the oauth-client-example project is using the client-id
>>> "third-party" which is specified in
>>> the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized().
>>> What I want to do is to get a bearer tokan programmatically as
>> is done
>>> in as is done in the client-grant example
>>> (i.e.
>> org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
>>> ) but I want to specify the client-id so that I can limit the
>> roles that
>>> are encoded in the bearer token. My assumption is that
>>> since
>> org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
>>> is using basic authentication to the auth server that the bearer
>> token
>>> returned will have all roles for bburke at redhat.com
>> <mailto:bburke at redhat.com>
>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>.
>>>
>>> So my question is can I easily modify the
>>> ProductDatabaseClient.getProducts() so that I am specifying a
>> client-id
>>> for the resulting bearer token and if so can you point at the
>> right part
>>> of the API that I should be looking at?
>>>
>>> Thanks much,
>>> Doug
>>>
>>> On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>
>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>
>>> OAuth2 does not define the token format. We have defined our
>> own token
>>> format that transmits signed role-mapping metadata.
>>>
>>> Check this out:
>>>
>>>
>> http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454
>>>
>>> An "Oauth client" in skeleton key can be assigned a set of
>> roles that it
>>> is allowed to assume. So, even though a specific user might have
>>> "admin" and "user" permissions, you can specify in the "oauth
>> client"
>>> role mapping that the "oauth client" is only allowed to
>> assume "user"
>>> permissions. Please read the linked documentation and get
>> back to this
>>> list if you have more questions.
>>>
>>> FYI, because our OAuth2 code reuses and is built on top of
>> JBoss's
>>> existing Security Domain APIs there's only so much
>> flexibility that can
>>> be provided. In the future, I have plans to leverage the new
>> IDM API in
>>> AS8 so that you can do more complex role mappings and OAuth2
>> scopes .
>>> Right now you're limited to what the documentation specifies.
>> Please
>>> get back to me. I want to know if what we have is good
>> enough for now,
>>> or if it is unusable.
>>>
>>> On 4/16/2013 9:17 AM, Doug Schnelzer wrote:
>>>> Thanks. As a follow up, I'd like to request a bearer
>> token but limit
>>>> the Roles identified in the bearer token. I'm looking
>>>> at org.jboss.resteasy.example.oauth.ProductDatabaseClient.
>> Would
>>> it be
>>>> right to look that the Access Token Scope to try and
>> accomplish this.
>>>> What I'm trying to do is have a set of REST services
>> protected
>>> using
>>>> the @RolesAllowed and a less sensitive role. Even though the
>>> Resource
>>>> Owner may have access to more sensitive roles, I don't wan
>> the bearer
>>>> token being given to the client to have all of these
>> roles. I'm
>>> working
>>>> my way through
>>>> org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and
>>> mapping
>>>> to the OAuth2 spec, but would welcome any guidance
>> pointing me in the
>>>> right direction.
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
More information about the jboss-as7-dev
mailing list