On Wed, Oct 30, 2013 at 12:28 PM, Pradeep Fernando <[email protected]> wrote:
> Hi Devs, > > I want to secure a set of APIs using OAuth 2.0. Resource server has APIs > of type, > > X and Y. > > Client authenticates itself with the authorization server (say resource > owner password credentials grant...) and gets an access token. > > The authorization server has two types of users. (roles) > > role A > role B > > users of role A should be able to access both the resources X and Y > where as users of role B can only access resources of type Y. > > > Authorization is the concern here. How can we pass that info to the > resource server ? Since OAuth is a authorization framework, we dont' have > to deal with user roles at the resource server, right (correct me if i'm > wrong..) ? > When access token is granted, By default, Authorization server does not do any authorization. If you need, you need to implement a call back class. More details can found here [1]. In your case, i guess, we can send the X,Y values in scope parameter and do the RBAC validation inside call back class before granting token. However, please make sure that current authorization server implementation does not issue different access tokens based on the scope (which is already discussed in the Architecture mailing list). Therefore if token is granted, it can be used to access all.. [1] http://blog.thilinamb.com/2012/08/writing-oauthcallbackhandler-for-wso2.html Thanks, Asela. > if so, is the 'scope' parameter in the access token, the correct approach > ? > > thanks, > --Pradeep > > > > -- Thanks & Regards, Asela ATL Mobile : +94 777 625 933
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
