[
http://jira.amdatu.org/jira/browse/AMDATUAUTH-133?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ivo Ladage - van Doorn updated AMDATUAUTH-133:
----------------------------------------------
Description:
The current access tokens provided by the OAuth server do not support assigning
any form of authorization to the token. The only authorization is yes/no and
the authorization derived from the user for which the token was obtained.
Currently the user for example cannot provide a consumer only read-access to
its resources; the consumer always retrieves full access to the users resources.
Scenario that should be supported:
- A REST service defines two permissions 'read-only' and 'read/write'
- These permissions are picked up by the OAuth server
- In the authorize step, these two permissions are displayed and the user must
select what type of access to grant to the consumer
- The REST service verifies if the access token was obtained with 'read/write'
access in case an API is invoked that modifies data. If only 'read-only' is
provided, it returns a 401
was:
The current access tokens provided by the OAuth server do not support assigning
any form of authorization to the token. The only authorization is yes/no and
the authorization derived from the user for which the token was obtained.
Currently the user for example cannot provide a consumer only read-access to
its resources; the consumer always retrieved full access to the users resources.
Scenario that should be supported:
- A REST service defines two permissions 'read-only' and 'read/write'
- These permissions are picked up by the OAuth server
- In the authorize step, these two permissions are displayed and the user must
select what type of access to grant to the consumer
- The REST service verifies if the access token was obtained with 'read/write'
access in case an API is invoked that modifies data. If only 'read-only' is
provided, it returns a 401
> Support more fine-grained authorization in access tokens
> --------------------------------------------------------
>
> Key: AMDATUAUTH-133
> URL: http://jira.amdatu.org/jira/browse/AMDATUAUTH-133
> Project: Amdatu Auth
> Issue Type: New Feature
> Components: OAuth server
> Affects Versions: 0.2.1
> Reporter: Ivo Ladage - van Doorn
> Assignee: Ivo Ladage - van Doorn
> Labels: blueconic
> Fix For: 0.2.2
>
>
> The current access tokens provided by the OAuth server do not support
> assigning any form of authorization to the token. The only authorization is
> yes/no and the authorization derived from the user for which the token was
> obtained. Currently the user for example cannot provide a consumer only
> read-access to its resources; the consumer always retrieves full access to
> the users resources.
> Scenario that should be supported:
> - A REST service defines two permissions 'read-only' and 'read/write'
> - These permissions are picked up by the OAuth server
> - In the authorize step, these two permissions are displayed and the user
> must select what type of access to grant to the consumer
> - The REST service verifies if the access token was obtained with
> 'read/write' access in case an API is invoked that modifies data. If only
> 'read-only' is provided, it returns a 401
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
http://jira.amdatu.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
Amdatu-developers mailing list
[email protected]
http://lists.amdatu.org/mailman/listinfo/amdatu-developers
