[security-dev] IDM: REST API

Anil Saldhana Anil.Saldhana at redhat.com
Mon Dec 10 12:56:50 EST 2012

   I am unsure if storing an aspect of an user as its attribute is 
hacking.  OtherNames used is an attribute of the user.

Each of our identity type constructs have attributes  - user,role,group, 
application,tier,partition etc.

Integration projects such as RESTEasy or GateIn or OAuth need to see if 
some of their usecases can be stored as attributes of identity type(s).  
This becomes an integration decision of the project.  We do not want IDM 
to be bloated one size fits all, a strategy which has failed in the 


On 12/10/2012 09:26 AM, Bill Burke wrote:
> Hacking the IDM model to support a new use case is a bad idea,
> especially considering the IDM API is in incubation.  I've also
> discovered additional use cases that would requiring "hacking" the
> model, specifically OAuth grants.  I'm sure others have discovered
> additional metadata they want to store.  Fix the model, don't hack it!
> As far as the user model goes in a cloud service, global users make make
> sense, but global credentails may not. Different realms will have
> different auth requirements.  Some may be solely password based, others
> may have more complex requirements.  They may also have different
> policies as well for lost passwords, etc.
> On 12/7/2012 5:25 PM, Anil Saldhana wrote:
>> Can we just not use the attributes on the User?  Such as "otherNames" to identify the different usernames, he may have used?
>> SCIM comes into picture wherein one cloud provider/service wants to create accounts for users in the other cloud provider/service. Some trust agreements have to be in place between the two cloud providers.
>> ----- Original Message -----
>> From: "Pedro Igor Silva" <psilva at redhat.com>
>> To: "Anil Saldhana" <anil.saldhana at redhat.com>
>> Cc: security-dev at lists.jboss.org
>> Sent: Friday, December 7, 2012 4:15:00 PM
>> Subject: Re: [security-dev] IDM: REST API
>> They use a id/externalId/userName to identify users. Not sure if we have that in PL.
>> Maybe this is a important thing to consider given that:
>>       * User can have different identifiers (eg.: username) for each cloud application. How we know that a specific username maps to a single person ?
>>       * During the authentication each application may require one of the user's identifier.
>> Let's get the following example:
>>       * John is a person. For application A he is using a username "john". For application B he is using "john2012".
>> This solution can be very important when *auditing* user actions. That way we can map different identifiers to a single person. Considering a cloud and heterogeneous environment.
>> Regards.
>> Pedro Igor
>> ----- Original Message -----
>> From: "Anil Saldhana" <asaldhan at redhat.com>
>> To: security-dev at lists.jboss.org
>> Sent: Friday, December 7, 2012 6:53:46 PM
>> Subject: [security-dev] IDM: REST API
>> http://www.simplecloud.info/
>> SCIM is very popular for user provisioning using REST.

More information about the security-dev mailing list