Hi all,
I'm working on a set of API endpoints to allow institutions to manage their
users and records, and their users to read their own records.
Specifically, each institution will get a {client_id} and a {secret} after
registering with us, which allows them to create users under its
institution using [POST https://hostname/users/]. Then the institution can
also insert records for each user using [POST
https://hostname/users/:user_id/]. Once a user has been created, he/she can
read his/her own records using [GET https://hostname/users/:user_id/].
In this process, there are two types of authentications I would like to
achieve, which I'm thinking about using oauth. However, I am super new on
oauth and have four questions.
Institution authentication (e.g., company FOO will have READ and WRITE
access to https://hostname/ to create users under its own institution,
insert records for specific users): (1) Since this part of the system will
be created and run by the institution, this should be a "client credential
grant" using {client_id} and {secret} of the institution, correct?
End-user authentication (e.g., user John Doe of company FOO will have READ
access to https://hostname/users/:john_doe_user_id/ to read his own
personal records): (2) Because this part of the system will probably run on
the web/mobile app created by company FOO, this should be a "resource owner
credential grant" using {username}, {password} of the specific user,
correct?
(3) Because I am allow two types of different authentications, which will
use two types of different {access_token}s I assume, would that be
something weird (or hard to build) under the oauth model?
(4) What if the web/mobile app created by a subset of the companies already
has its own authentication and does not want to create another password for
each of its users, what should I do? For example, company FOO has its own
authentication for its web/mobile app and does not want to bother creating
another password for each of its user (i.e., requires only {username}),
whereas company BAR would like to create another password for each user
(i.e., requires {username} and {password}). What kind of authentication
model should I use for a scenario like this?
Thank you very much for your help!
Yunqi
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
