While I agree with Blain’s conclusion, I would characterize it a bit differently: there currently is no general consensus as to what the best way to approach this is, and whether there is value in a generic permission parameter. My favorite example is health records API in which reading is the more critical right, not writing – it is just very different in each use case and we don’t have enough experience to see a useful pattern.
EHL From: [email protected] [mailto:[email protected]] On Behalf Of Chasen Le Hara Sent: Wednesday, February 10, 2010 7:44 PM To: [email protected] Subject: Re: [OAUTH-WG] Resource permissions Thanks for the feedback. That’s what I presumed and I’m glad I wasn’t missing anything. For the record, I ended up adding two comma-separated parameters to the request token request like so: read_permissions=user&write_permission=accounts,accounts/transactions [Documentation: https://ironmoney.com/api/permissions/] On Sat, Jan 23, 2010 at 6:08 PM, Blaine Cook <[email protected]<mailto:[email protected]>> wrote: Hi Chasen, the general consensus is that this is something best handled by each provider individually, since there are too many possible approaches to permissions to be covered in the authorization spec. Flickr and Twitter are good examples of how to do simple read/write permissions. b. 2010/1/22 Chasen Le Hara <[email protected]<mailto:[email protected]>>: > Hi, > I am currently implementing an API that uses OAuth. I’m including a basic > resource authorization feature in my API that lets clients ask for > read/write permissions to a number of resources while getting a request > token (something like permissions="read:/accounts/ > write:/accounts/transactions/"). > I know that this isn’t covered by 1.0a or the latest draft. After searching > for a bit, I found this functionality mentioned in this thread [1] and a > thread about OAuth Core 1.1 [2]. I haven’t seen any mention of this since > then, and I don’t believe this is being tackled by WRAP either. > My question to the floor: is there a draft I’ve missed that includes > this? Are there any APIs planned or shipping that have this functionality? > Is this something worth standardizing, or should each service provider do it > their own way? > -Chasen > P.S. My apologies if I posted this to the wrong mailing list; I thought this > would be a better choice than the Google Groups list. > [1] > https://groups.google.com/group/oauth/browse_thread/thread/e44310037ba355e3/91cabf9061004d0a > [2] > https://groups.google.com/group/oauth/browse_thread/thread/b4d71abb0ac81e60/878a35a9d355437b > _______________________________________________ > OAuth mailing list > [email protected]<mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
