3:46 p.m.
Hey all,
Looking at and implementing OAuth use cases, I've realized there's an
additional piece of metadata that may not fit into the current identity
model.
In OAuth a client can ask for specific permissions to access a protected
resource on behalf of a user. This is called the "scope". Clients are
registered with the auth server. You probably want to limit the "scope"
a client is allowed to ask for. For example, you probably don't want to
allow clients to ask for "admin" privileges as a user may accidently
grant them those permissions.
So, the identity model changes. Scope looks a lot like a role mapping,
but it isn't a role mapping. It is a set of roles one user is allowed
to grant to another. Do you think this fits in the current model?
Thanks,
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:09 p.m.
I'm not sure we need to do anything special with the identity model at
this time to support this. We can probably implement it as a
"supplemental" feature that works in conjunction with the IDM identity
model.
On 12/04/2012 07:46 AM, Bill Burke wrote:
Hey all,
Looking at and implementing OAuth use cases, I've realized there's an
additional piece of metadata that may not fit into the current identity
model.
In OAuth a client can ask for specific permissions to access a protected
resource on behalf of a user. This is called the "scope". Clients are
registered with the auth server. You probably want to limit the "scope"
a client is allowed to ask for. For example, you probably don't want to
allow clients to ask for "admin" privileges as a user may accidently
grant them those permissions.
So, the identity model changes. Scope looks a lot like a role mapping,
but it isn't a role mapping. It is a set of roles one user is allowed
to grant to another. Do you think this fits in the current model?
Thanks,
Bill
4457
days inactive
4459
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Shane Bryzak