[security-dev] IDM: REST API
Bill Burke
bburke at redhat.com
Tue Dec 11 09:28:59 EST 2012
Real life scenario is OAuth (1 or 2)
On 12/10/2012 5:34 PM, Shane Bryzak wrote:
> On 12/11/2012 05:18 AM, Bill Burke wrote:
>>
>> On 12/10/2012 1:47 PM, Darran Lofthouse wrote:
>>> On 12/10/2012 06:37 PM, Bill Burke wrote:
>>>> * Granting specific access to somebody so they can act on behalf of you
>>>> seems like a pretty compelling cross-cutting use case that should be
>>>> supported in the model.
>>> That is something that is coming up for AS7 as well we are close to the
>>> point where we need to define which users can act on the behalf of other
>>> users.
>>>
>> (I said this before). In my prototype, i have something like a role
>> mapping, but it is a list of roles a user is allowed to ask another user
>> to grant for them. This is the change in the meta model I'd need for
>> this type of data, otherwise, i'm just hacking the identity model.
>>
>>
> I'm going to need a way more descriptive use case than this to ensure
> that we're addressing this requirement. Bill, would you mind writing
> something up that includes all the details plus a real life scenario?
As Anil already said, the real life scenario is OAuth (1 or 2). The
idea is that grant requesters are only authorized to ask for specific
permissions and not *any* permission (OAuth "scope"). While scope is
not required by OAuth, there's really two reasons I want this metadata:
1. To prevent grant requesters from asking for permissions they really
shouldn't be asking for i.e. admin privleges
2. If this metadata is held in the IDM, then the grant requester doesn't
need to know about or specify this metadata. One less thing you have to
consider.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list