Re: [oauth] Enterprise usage question: Role based access and scope parameter

[Lukas Rosenstock]

scope is about the permissions that a client application is
requesting. But if those permissions are inherently bound to the users
becaus the users have certain roles, the Access Token requested for a
user can be bound to those roles by the Authorization server. I don't
feel there's a requirement to use scope at all.

If, however, you want client applications to specifically state for
which role they're requesting access, there's nothing to prevent you
from implementing the scheme suggested. The specification doesn't
state any format of scopes and neither does it say anything on how the
scope values are converted into actual access privileges.

Regards,
 Lukas Rosenstock

2010/7/6 wjgerritsen epsilon...@gmail.com:
 Hi,

 I am playing with the idea of using role names in the scope parameter
 (of RequestToken endpoint) for authorizing to our platform. It will
 work somehow like this: A user has a number of roles: e.g. SalesRep,
 Employee, Manager. To each role a consistent privilege set is
 assigned, so the user would also be able to use (part of) the
 functionality of the platform with only one role.

 Then the token would be bound to a certain role (e.g. SalesRep), such
 that the consumer app cannot excercise all privileges of the user, but
 only those limited to the assigned scope, which is a role. Upon app
 registration, it will be made clear which roles are liable for the
 scope parameter.

 Any comments?

 regards,
 Willem Jan

 --
 You received this message because you are subscribed to the Google Groups 
 OAuth group.
 To post to this group, send email to oa...@googlegroups.com.
 To unsubscribe from this group, send email to 
 oauth+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/oauth?hl=en.



-- 
You received this message because you are subscribed to the Google Groups 
OAuth group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to 
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/oauth?hl=en.

[oauth] Enterprise usage question: Role based access and scope parameter

[wjgerritsen]

Hi,

I am playing with the idea of using role names in the scope parameter
(of RequestToken endpoint) for authorizing to our platform. It will
work somehow like this: A user has a number of roles: e.g. SalesRep,
Employee, Manager. To each role a consistent privilege set is
assigned, so the user would also be able to use (part of) the
functionality of the platform with only one role.

Then the token would be bound to a certain role (e.g. SalesRep), such
that the consumer app cannot excercise all privileges of the user, but
only those limited to the assigned scope, which is a role. Upon app
registration, it will be made clear which roles are liable for the
scope parameter.

Any comments?

regards,
Willem Jan

-- 
You received this message because you are subscribed to the Google Groups 
OAuth group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to 
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/oauth?hl=en.