1:32 p.m.
Yeah, I don't have time to work on this now. You'd have to post both
user id, client id, and credentials of both. It would work similarly to
the oauth example. You'd use the role mapping for the client-id to
filter the ones from the user role mappings. To do this you'd do a
double internal login for the user/client to get their perspective role
mappings. If I'm making any sense....
You'd add a new method modified on the tokenGrant() method contained in
this file:
https://github.com/resteasy/Resteasy/blob/3.0-beta-4/jaxrs/security/skele...
BTW, this is ugly-ass code. Its very hacky. At the time, it seemed
like the only way I could do this and leverage JBoss's existing security
infrastructure.
On 4/16/2013 2:20 PM, Doug Schnelzer wrote:
That's exactly what we want to do. Could we take what is
available in
the current implementation and put something together? I'm happy to
work on it. A pointer in the right direction would be great.
Thanks, Doug
On Tue, Apr 16, 2013 at 2:15 PM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
So you want to specify user, client-id, and their credentials and get
back a token that is limited to what the client-id is allowed to get?
All in one request? I don't have an API for this at the moment.
On 4/16/2013 11:50 AM, Doug Schnelzer wrote:
> So continuing to peel back the onion... and getting somewhere...
>
> Thanks for the pointers. I re-read the docs especially around
>
>
http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html...
>
> I noticed that the commerce-roles.properties for the current OAuth2
> examples has the following:
>
> bburke(a)redhat.com <mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>=user,products
> admin=admin
> customer-portal=login
> product-portal=login
> third-party=oauth,*
>
> I see that the oauth-client-example project is using the client-id
> "third-party" which is specified in
> the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized().
> What I want to do is to get a bearer tokan programmatically as
is done
> in as is done in the client-grant example
> (i.e.
org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
> ) but I want to specify the client-id so that I can limit the
roles that
> are encoded in the bearer token. My assumption is that
> since
org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
> is using basic authentication to the auth server that the bearer
token
> returned will have all roles for bburke(a)redhat.com
<mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>.
>
> So my question is can I easily modify the
> ProductDatabaseClient.getProducts() so that I am specifying a
client-id
> for the resulting bearer token and if so can you point at the
right part
> of the API that I should be looking at?
>
> Thanks much,
> Doug
>
> On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
>
> OAuth2 does not define the token format. We have defined our
own token
> format that transmits signed role-mapping metadata.
>
> Check this out:
>
>
http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html...
>
> An "Oauth client" in skeleton key can be assigned a set of
roles that it
> is allowed to assume. So, even though a specific user might have
> "admin" and "user" permissions, you can specify in the
"oauth
client"
> role mapping that the "oauth client" is only allowed to
assume "user"
> permissions. Please read the linked documentation and get
back to this
> list if you have more questions.
>
> FYI, because our OAuth2 code reuses and is built on top of
JBoss's
> existing Security Domain APIs there's only so much
flexibility that can
> be provided. In the future, I have plans to leverage the new
IDM API in
> AS8 so that you can do more complex role mappings and OAuth2
scopes .
> Right now you're limited to what the documentation specifies.
Please
> get back to me. I want to know if what we have is good
enough for now,
> or if it is unusable.
>
> On 4/16/2013 9:17 AM, Doug Schnelzer wrote:
> > Thanks. As a follow up, I'd like to request a bearer
token but limit
> > the Roles identified in the bearer token. I'm looking
> > at org.jboss.resteasy.example.oauth.ProductDatabaseClient.
Would
> it be
> > right to look that the Access Token Scope to try and
accomplish this.
> > What I'm trying to do is have a set of REST services
protected
> using
> > the @RolesAllowed and a less sensitive role. Even though the
> Resource
> > Owner may have access to more sensitive roles, I don't wan
the bearer
> > token being given to the client to have all of these
roles. I'm
> working
> > my way through
> > org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and
> mapping
> > to the OAuth2 spec, but would welcome any guidance
pointing me in the
> > right direction.
> >
> >
> >
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com