So continuing to peel back the onion... and getting somewhere...

Thanks for the pointers.  I re-read the docs especially around

I noticed that the for the current OAuth2
examples has the following:,products

I see that the oauth-client-example project is using the client-id
"third-party" which is specified in
the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized().  What
I want to do is to get a bearer tokan programmatically as is done in as is
done in the client-grant example
(i.e. org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
) but I want to specify the client-id so that I can limit the roles that
are encoded in the bearer token.  My assumption is that
since org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
is using basic authentication to the auth server that the bearer token
returned will have all roles for

So my question is can I easily modify the
ProductDatabaseClient.getProducts() so that I am specifying a client-id for
the resulting bearer token and if so can you point at the right part of the
API that I should be looking at?

Thanks much,

On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke <> wrote:

> OAuth2 does not define the token format.  We have defined our own token
> format that transmits signed role-mapping metadata.
> Check this out:
> An "Oauth client" in skeleton key can be assigned a set of roles that it
> is allowed to assume.  So, even though a specific user might have
> "admin" and "user" permissions, you can specify in the "oauth client"
> role mapping that the "oauth client" is only allowed to assume "user"
> permissions.  Please read the linked documentation and get back to this
> list if you have more questions.
> FYI, because our OAuth2 code reuses and is built on top of JBoss's
> existing Security Domain APIs there's only so much flexibility that can
> be provided.  In the future, I have plans to leverage the new IDM API in
> AS8 so that you can do more complex role mappings and OAuth2 scopes .
> Right now you're limited to what the documentation specifies.  Please
> get back to me.  I want to know if what we have is good enough for now,
> or if it is unusable.
> On 4/16/2013 9:17 AM, Doug Schnelzer wrote:
> > Thanks.  As a follow up, I'd like to request a bearer token but limit
> > the Roles identified in the bearer token.  I'm looking
> > at org.jboss.resteasy.example.oauth.ProductDatabaseClient.  Would it be
> > right to look that the Access Token Scope to try and accomplish this.
> >   What I'm trying to do is have a set of REST services protected using
> > the @RolesAllowed and a less sensitive role.  Even though the Resource
> > Owner may have access to more sensitive roles, I don't wan the bearer
> > token being given to the client to have all of these roles.  I'm working
> > my way through
> > org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and mapping
> > to the OAuth2 spec, but would welcome any guidance pointing me in the
> > right direction.
> >
> >
> >
> >
> --
> Bill Burke
> JBoss, a division of Red Hat
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Resteasy-users mailing list

Reply via email to