[security-dev] oauth scope effect on data model
Shane Bryzak
sbryzak at redhat.com
Tue Dec 4 20:09:52 EST 2012
I'm not sure we need to do anything special with the identity model at
this time to support this. We can probably implement it as a
"supplemental" feature that works in conjunction with the IDM identity
model.
On 12/04/2012 07:46 AM, Bill Burke wrote:
> Hey all,
>
> Looking at and implementing OAuth use cases, I've realized there's an
> additional piece of metadata that may not fit into the current identity
> model.
>
> In OAuth a client can ask for specific permissions to access a protected
> resource on behalf of a user. This is called the "scope". Clients are
> registered with the auth server. You probably want to limit the "scope"
> a client is allowed to ask for. For example, you probably don't want to
> allow clients to ask for "admin" privileges as a user may accidently
> grant them those permissions.
>
> So, the identity model changes. Scope looks a lot like a role mapping,
> but it isn't a role mapping. It is a set of roles one user is allowed
> to grant to another. Do you think this fits in the current model?
>
> Thanks,
>
> Bill
>
More information about the security-dev
mailing list