[security-dev] oauth scope effect on data model
Bill Burke
bburke at redhat.com
Mon Dec 3 16:46:13 EST 2012
Hey all,
Looking at and implementing OAuth use cases, I've realized there's an
additional piece of metadata that may not fit into the current identity
model.
In OAuth a client can ask for specific permissions to access a protected
resource on behalf of a user. This is called the "scope". Clients are
registered with the auth server. You probably want to limit the "scope"
a client is allowed to ask for. For example, you probably don't want to
allow clients to ask for "admin" privileges as a user may accidently
grant them those permissions.
So, the identity model changes. Scope looks a lot like a role mapping,
but it isn't a role mapping. It is a set of roles one user is allowed
to grant to another. Do you think this fits in the current model?
Thanks,
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list