[security-dev] oauth scope effect on data model

Shane Bryzak sbryzak at redhat.com
Tue Dec 4 20:09:52 EST 2012


I'm not sure we need to do anything special with the identity model at 
this time to support this.  We can probably implement it as a 
"supplemental" feature that works in conjunction with the IDM identity 
model.

On 12/04/2012 07:46 AM, Bill Burke wrote:
> Hey all,
>
> Looking at and implementing OAuth use cases, I've realized there's an
> additional piece of metadata that may not fit into the current identity
> model.
>
> In OAuth a client can ask for specific permissions to access a protected
> resource on behalf of a user.  This is called the "scope".  Clients are
> registered with the auth server.  You probably want to limit the "scope"
> a client is allowed to ask for.  For example, you probably don't want to
> allow clients to ask for "admin" privileges as a user may accidently
> grant them those permissions.
>
> So, the identity model changes.  Scope looks a lot like a role mapping,
> but it isn't a role mapping.  It is a set of roles one user is allowed
> to grant to another.  Do you think this fits in the current model?
>
> Thanks,
>
> Bill
>



More information about the security-dev mailing list