[security-dev] IDM: REST API

Bill Burke bburke at redhat.com
Tue Dec 11 09:28:59 EST 2012

Real life scenario is OAuth (1 or 2)

On 12/10/2012 5:34 PM, Shane Bryzak wrote:
> On 12/11/2012 05:18 AM, Bill Burke wrote:
>> On 12/10/2012 1:47 PM, Darran Lofthouse wrote:
>>> On 12/10/2012 06:37 PM, Bill Burke wrote:
>>>> * Granting specific access to somebody so they can act on behalf of you
>>>> seems like a pretty compelling cross-cutting use case that should be
>>>> supported in the model.
>>> That is something that is coming up for AS7 as well we are close to the
>>> point where we need to define which users can act on the behalf of other
>>> users.
>> (I said this before).  In my prototype, i have something like a role
>> mapping, but it is a list of roles a user is allowed to ask another user
>> to grant for them.  This is the change in the meta model I'd need for
>> this type of data, otherwise, i'm just hacking the identity model.
> I'm going to need a way more descriptive use case than this to ensure
> that we're addressing this requirement.  Bill, would you mind writing
> something up that includes all the details plus a real life scenario?

As Anil already said, the real life scenario is OAuth (1 or 2).  The 
idea is that grant requesters are only authorized to ask for specific 
permissions and not *any* permission (OAuth "scope").  While scope is 
not required by OAuth, there's really two reasons I want this metadata:

1. To prevent grant requesters from asking for permissions they really 
shouldn't be asking for i.e. admin privleges

2. If this metadata is held in the IDM, then the grant requester doesn't 
need to know about or specify this metadata.  One less thing you have to 

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list