[security-dev] oauth scope effect on data model

[Bill Burke]

Hey all,

Looking at and implementing OAuth use cases, I've realized there's an 
additional piece of metadata that may not fit into the current identity 
model.

In OAuth a client can ask for specific permissions to access a protected 
resource on behalf of a user.  This is called the "scope".  Clients are 
registered with the auth server.  You probably want to limit the "scope" 
a client is allowed to ask for.  For example, you probably don't want to 
allow clients to ask for "admin" privileges as a user may accidently 
grant them those permissions.

So, the identity model changes.  Scope looks a lot like a role mapping, 
but it isn't a role mapping.  It is a set of roles one user is allowed 
to grant to another.  Do you think this fits in the current model?

Thanks,

Bill

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com