[jboss-as7-dev] [Resteasy-users] OAuth2 example - different roles per REST Method

Bill Burke bburke at redhat.com
Wed Apr 17 08:57:52 EDT 2013 

Just looks like it does authentication, not authorization.

Resteasy Skeleton key generates signed tokens that contain role 
mappings.  A key that can be retransmitted and verified locally using 
the public key of the auth server.  Its tightly integrated with JBoss AS 
leveraging any existing JBoss Login Module. Role mappings and identity 
are mapped to internal JBoss security model so that all component layers 
can leverage it.  Finally, it supports SSO.  Login in once, access any 
app on any host securely.

But, if you do decide to use oltu, would be cool to know what made you 
switch.

On 4/17/2013 2:49 AM, Heiko Braun wrote:
>
> Have you considered http://oltu.apache.org for the oauth2 support? I think we have committers on that already (jfclere)..
>
>
> On Apr 16, 2013, at 8:32 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> Yeah, I don't have time to work on this now.  You'd have to post both
>> user id, client id, and credentials of both.  It would work similarly to
>> the oauth example.  You'd use the role mapping for the client-id to
>> filter the ones from the user role mappings.  To do this you'd do a
>> double internal login for the user/client to get their perspective role
>> mappings.  If I'm making any sense....
>>
>> You'd add a new method modified on the tokenGrant() method contained in
>> this file:
>>
>> https://github.com/resteasy/Resteasy/blob/3.0-beta-4/jaxrs/security/skeleton-key-idm/skeleton-key-as7/src/main/java/org/jboss/resteasy/skeleton/key/as7/OAuthAuthenticationServerValve.java
>>
>> BTW, this is ugly-ass code.  Its very hacky.  At the time, it seemed
>> like the only way I could do this and leverage JBoss's existing security
>> infrastructure.
>>
>> On 4/16/2013 2:20 PM, Doug Schnelzer wrote:
>>> That's exactly what we want to do.  Could we take what is available in
>>> the current implementation and put something together?  I'm happy to
>>> work on it.  A pointer in the right direction would be great.
>>>
>>> Thanks, Doug
>>>
>>> On Tue, Apr 16, 2013 at 2:15 PM, Bill Burke <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>     So you want to specify user, client-id, and their credentials and get
>>>     back a token that is limited to what the client-id is allowed to get?
>>>     All in one request?  I don't have an API for this at the moment.
>>>
>>>     On 4/16/2013 11:50 AM, Doug Schnelzer wrote:
>>>> So continuing to peel back the onion... and getting somewhere...
>>>>
>>>> Thanks for the pointers.  I re-read the docs especially around
>>>>
>>>>
>>>     http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454
>>>>
>>>> I noticed that the commerce-roles.properties for the current OAuth2
>>>> examples has the following:
>>>>
>>>> bburke at redhat.com <mailto:bburke at redhat.com>
>>>     <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>=user,products
>>>> admin=admin
>>>> customer-portal=login
>>>> product-portal=login
>>>> third-party=oauth,*
>>>>
>>>> I see that the oauth-client-example project is using the client-id
>>>> "third-party" which is specified in
>>>> the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized().
>>>>   What I want to do is to get a bearer tokan programmatically as
>>>     is done
>>>> in as is done in the client-grant example
>>>> (i.e.
>>>     org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
>>>> ) but I want to specify the client-id so that I can limit the
>>>     roles that
>>>> are encoded in the bearer token.  My assumption is that
>>>> since
>>>     org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
>>>> is using basic authentication to the auth server that the bearer
>>>     token
>>>> returned will have all roles for bburke at redhat.com
>>>     <mailto:bburke at redhat.com>
>>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>.
>>>>
>>>> So my question is can I easily modify the
>>>> ProductDatabaseClient.getProducts() so that I am specifying a
>>>     client-id
>>>> for the resulting bearer token and if so can you point at the
>>>     right part
>>>> of the API that I should be looking at?
>>>>
>>>> Thanks much,
>>>> Doug
>>>>
>>>> On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke <bburke at redhat.com
>>>     <mailto:bburke at redhat.com>
>>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>>
>>>>     OAuth2 does not define the token format.  We have defined our
>>>     own token
>>>>     format that transmits signed role-mapping metadata.
>>>>
>>>>     Check this out:
>>>>
>>>>
>>>     http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454
>>>>
>>>>     An "Oauth client" in skeleton key can be assigned a set of
>>>     roles that it
>>>>     is allowed to assume.  So, even though a specific user might have
>>>>     "admin" and "user" permissions, you can specify in the "oauth
>>>     client"
>>>>     role mapping that the "oauth client" is only allowed to
>>>     assume "user"
>>>>     permissions.  Please read the linked documentation and get
>>>     back to this
>>>>     list if you have more questions.
>>>>
>>>>     FYI, because our OAuth2 code reuses and is built on top of
>>>     JBoss's
>>>>     existing Security Domain APIs there's only so much
>>>     flexibility that can
>>>>     be provided.  In the future, I have plans to leverage the new
>>>     IDM API in
>>>>     AS8 so that you can do more complex role mappings and OAuth2
>>>     scopes .
>>>>     Right now you're limited to what the documentation specifies.
>>>       Please
>>>>     get back to me.  I want to know if what we have is good
>>>     enough for now,
>>>>     or if it is unusable.
>>>>
>>>>     On 4/16/2013 9:17 AM, Doug Schnelzer wrote:
>>>>> Thanks.  As a follow up, I'd like to request a bearer
>>>     token but limit
>>>>> the Roles identified in the bearer token.  I'm looking
>>>>> at org.jboss.resteasy.example.oauth.ProductDatabaseClient.
>>>       Would
>>>>     it be
>>>>> right to look that the Access Token Scope to try and
>>>     accomplish this.
>>>>>   What I'm trying to do is have a set of REST services
>>>     protected
>>>>     using
>>>>> the @RolesAllowed and a less sensitive role.  Even though the
>>>>     Resource
>>>>> Owner may have access to more sensitive roles, I don't wan
>>>     the bearer
>>>>> token being given to the client to have all of these
>>>     roles.  I'm
>>>>     working
>>>>> my way through
>>>>> org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and
>>>>     mapping
>>>>> to the OAuth2 spec, but would welcome any guidance
>>>     pointing me in the
>>>>> right direction.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>     --
>>>>     Bill Burke
>>>>     JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the jboss-as7-dev mailing list