So you want to specify user, client-id, and their credentials and get back a token that is limited to what the client-id is allowed to get? All in one request? I don't have an API for this at the moment.
On 4/16/2013 11:50 AM, Doug Schnelzer wrote: > So continuing to peel back the onion... and getting somewhere... > > Thanks for the pointers. I re-read the docs especially around > > http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454 > > I noticed that the commerce-roles.properties for the current OAuth2 > examples has the following: > > bbu...@redhat.com <mailto:bbu...@redhat.com>=user,products > admin=admin > customer-portal=login > product-portal=login > third-party=oauth,* > > I see that the oauth-client-example project is using the client-id > "third-party" which is specified in > the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized(). > What I want to do is to get a bearer tokan programmatically as is done > in as is done in the client-grant example > (i.e. org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts() > ) but I want to specify the client-id so that I can limit the roles that > are encoded in the bearer token. My assumption is that > since org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts() > is using basic authentication to the auth server that the bearer token > returned will have all roles for bbu...@redhat.com > <mailto:bbu...@redhat.com>. > > So my question is can I easily modify the > ProductDatabaseClient.getProducts() so that I am specifying a client-id > for the resulting bearer token and if so can you point at the right part > of the API that I should be looking at? > > Thanks much, > Doug > > On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke <bbu...@redhat.com > <mailto:bbu...@redhat.com>> wrote: > > OAuth2 does not define the token format. We have defined our own token > format that transmits signed role-mapping metadata. > > Check this out: > > > http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454 > > An "Oauth client" in skeleton key can be assigned a set of roles that it > is allowed to assume. So, even though a specific user might have > "admin" and "user" permissions, you can specify in the "oauth client" > role mapping that the "oauth client" is only allowed to assume "user" > permissions. Please read the linked documentation and get back to this > list if you have more questions. > > FYI, because our OAuth2 code reuses and is built on top of JBoss's > existing Security Domain APIs there's only so much flexibility that can > be provided. In the future, I have plans to leverage the new IDM API in > AS8 so that you can do more complex role mappings and OAuth2 scopes . > Right now you're limited to what the documentation specifies. Please > get back to me. I want to know if what we have is good enough for now, > or if it is unusable. > > On 4/16/2013 9:17 AM, Doug Schnelzer wrote: > > Thanks. As a follow up, I'd like to request a bearer token but limit > > the Roles identified in the bearer token. I'm looking > > at org.jboss.resteasy.example.oauth.ProductDatabaseClient. Would > it be > > right to look that the Access Token Scope to try and accomplish this. > > What I'm trying to do is have a set of REST services protected > using > > the @RolesAllowed and a less sensitive role. Even though the > Resource > > Owner may have access to more sensitive roles, I don't wan the bearer > > token being given to the client to have all of these roles. I'm > working > > my way through > > org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and > mapping > > to the OAuth2 spec, but would welcome any guidance pointing me in the > > right direction. > > > > > > > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > > > > _______________________________________________ > Resteasy-users mailing list > Resteasy-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/resteasy-users > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Resteasy-users mailing list Resteasy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/resteasy-users
