[security-dev] IDM: REST API

Darran Lofthouse darran.lofthouse at jboss.com
Mon Dec 10 13:45:16 EST 2012


On 12/10/2012 05:56 PM, Anil Saldhana wrote:
> Bill,
>     I am unsure if storing an aspect of an user as its attribute is
> hacking.  OtherNames used is an attribute of the user.

The topic of multiple credentials against a single user is something I 
raised on another thread but for one scenario I am thinking about it 
would still need to be a 1:1 mapping between the username used and the 
credential stored.

> Each of our identity type constructs have attributes  - user,role,group,
> application,tier,partition etc.
>
> Integration projects such as RESTEasy or GateIn or OAuth need to see if
> some of their usecases can be stored as attributes of identity type(s).
> This becomes an integration decision of the project.  We do not want IDM
> to be bloated one size fits all, a strategy which has failed in the
> industry.
>
> Regards,
> Anil
>
> On 12/10/2012 09:26 AM, Bill Burke wrote:
>> Hacking the IDM model to support a new use case is a bad idea,
>> especially considering the IDM API is in incubation.  I've also
>> discovered additional use cases that would requiring "hacking" the
>> model, specifically OAuth grants.  I'm sure others have discovered
>> additional metadata they want to store.  Fix the model, don't hack it!
>>
>> As far as the user model goes in a cloud service, global users make make
>> sense, but global credentails may not. Different realms will have
>> different auth requirements.  Some may be solely password based, others
>> may have more complex requirements.  They may also have different
>> policies as well for lost passwords, etc.
>>
>>
>>
>> On 12/7/2012 5:25 PM, Anil Saldhana wrote:
>>> Can we just not use the attributes on the User?  Such as "otherNames" to identify the different usernames, he may have used?
>>>
>>> SCIM comes into picture wherein one cloud provider/service wants to create accounts for users in the other cloud provider/service. Some trust agreements have to be in place between the two cloud providers.
>>>
>>> ----- Original Message -----
>>> From: "Pedro Igor Silva" <psilva at redhat.com>
>>> To: "Anil Saldhana" <anil.saldhana at redhat.com>
>>> Cc: security-dev at lists.jboss.org
>>> Sent: Friday, December 7, 2012 4:15:00 PM
>>> Subject: Re: [security-dev] IDM: REST API
>>>
>>> They use a id/externalId/userName to identify users. Not sure if we have that in PL.
>>>
>>> Maybe this is a important thing to consider given that:
>>>
>>>        * User can have different identifiers (eg.: username) for each cloud application. How we know that a specific username maps to a single person ?
>>>        * During the authentication each application may require one of the user's identifier.
>>>
>>> Let's get the following example:
>>>
>>>        * John is a person. For application A he is using a username "john". For application B he is using "john2012".
>>>
>>> This solution can be very important when *auditing* user actions. That way we can map different identifiers to a single person. Considering a cloud and heterogeneous environment.
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> ----- Original Message -----
>>> From: "Anil Saldhana" <asaldhan at redhat.com>
>>> To: security-dev at lists.jboss.org
>>> Sent: Friday, December 7, 2012 6:53:46 PM
>>> Subject: [security-dev] IDM: REST API
>>>
>>> http://www.simplecloud.info/
>>>
>>> SCIM is very popular for user provisioning using REST.
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>


More information about the security-dev mailing list