[Amdatu-developers] [JIRA] (AMDATUOPENSOCIAL-196) Investigate REST API security using OAuth

Wed, 01 Feb 2012 05:50:55 -0800 

Ivo Ladage - van Doorn created AMDATUOPENSOCIAL-196:
-------------------------------------------------------

             Summary: Investigate REST API security using OAuth
                 Key: AMDATUOPENSOCIAL-196
                 URL: http://jira.amdatu.org/jira/browse/AMDATUOPENSOCIAL-196
             Project: Amdatu OpenSocial
          Issue Type: Question
          Components: Documentation
            Reporter: Ivo Ladage - van Doorn
            Assignee: Ivo Ladage - van Doorn


Requirements:

- It must be possible to secure the REST APIs using OAuth
- It must be possible to register applications which are authorized to invoke 
this REST API
- It must be possible to differentiate between registered applications and 
users. So for example, a reporting REST service is not accessible by 
authenticated users but only by service consumers with an authorized token.
- For each registered application an 'API key' (read: consumer key & secret) 
must be generated which can be used by the application to communicate with the 
REST service
- In the application registry it must be possible to define the following 
authorization:
  * A set of roles that the application receives. So the application will have 
the same authorization as a user with these roles.
  * A user. The application will have the exact same authorization as this user 
(in fact this is a subset of the first requirement, as users are also roles in 
OSGi)
- There must be a uniform way of performing the authorization check in the REST 
API. For a developer it should not matter if the REST API is invoked directly 
by an authenticated user or a service consumer using 2-legged or 3-legged OAuth.
- It must be possible to deploy a gadget in iGoogle which uses OAuth to invoke 
the REST API in an Amdatu bundle.
- In the latter case it would be a nice feature if pre-authorized tokens were 
supported (meaning that the user does not need to explicitly give iGoogle 
approval to act on its behalf each time the user opens iGoogle)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
http://jira.amdatu.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
Amdatu-developers mailing list
[email protected]
http://lists.amdatu.org/mailman/listinfo/amdatu-developers

Reply via email to