[Amdatu-developers] [JIRA] (AMDATUAUTH-133) Support more fine-grained authorization in access tokens

Mon, 26 Mar 2012 06:07:10 -0700 

    [ 
http://jira.amdatu.org/jira/browse/AMDATUAUTH-133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12930#comment-12930
 ] 

Ivo Ladage - van Doorn commented on AMDATUAUTH-133:
---------------------------------------------------

The first step of the scenario is not possible; in the authorize step you 
cannot possibly know the REST service being invoked by the consumer. So the 
permission scheme to apply can only be configured per consumer. This means that 
this information could best be stored in the consumer registry. It should 
support persistence of a collection of permission properties, consisting of:

- id
- name per locale (used in authorize step)


                
> Support more fine-grained authorization in access tokens
> --------------------------------------------------------
>
>                 Key: AMDATUAUTH-133
>                 URL: http://jira.amdatu.org/jira/browse/AMDATUAUTH-133
>             Project: Amdatu Auth
>          Issue Type: New Feature
>          Components: OAuth server
>    Affects Versions: 0.2.1
>            Reporter: Ivo Ladage - van Doorn
>            Assignee: Ivo Ladage - van Doorn
>              Labels: blueconic
>             Fix For: 0.2.2
>
>
> The current access tokens provided by the OAuth server do not support 
> assigning any form of authorization to the token. The only authorization is 
> yes/no and the authorization derived from the user for which the token was 
> obtained. Currently the user for example cannot provide a consumer only 
> read-access to its resources; the consumer always retrieves full access to 
> the users resources.
> Scenario that should be supported:
> - A REST service defines two permissions 'read-only' and 'read/write'
> - These permissions are picked up by the OAuth server
> - In the authorize step, these two permissions are displayed and the user 
> must select what type of access to grant to the consumer
> - The REST service verifies if the access token was obtained with 
> 'read/write' access in case an API is invoked that modifies data. If only 
> 'read-only' is provided, it returns a 401

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
http://jira.amdatu.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
Amdatu-developers mailing list
[email protected]
http://lists.amdatu.org/mailman/listinfo/amdatu-developers

Reply via email to