So continuing to peel back the onion... and getting somewhere...
Thanks for the pointers. I re-read the docs especially around
I noticed that the commerce-roles.properties for the current OAuth2
examples has the following:
I see that the oauth-client-example project is using the client-id
"third-party" which is specified in
the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized(). What
I want to do is to get a bearer tokan programmatically as is done in as is
done in the client-grant example
) but I want to specify the client-id so that I can limit the roles that
are encoded in the bearer token. My assumption is that
is using basic authentication to the auth server that the bearer token
returned will have all roles for bbu...@redhat.com.
So my question is can I easily modify the
ProductDatabaseClient.getProducts() so that I am specifying a client-id for
the resulting bearer token and if so can you point at the right part of the
API that I should be looking at?
On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke <bbu...@redhat.com> wrote:
> OAuth2 does not define the token format. We have defined our own token
> format that transmits signed role-mapping metadata.
> Check this out:
> An "Oauth client" in skeleton key can be assigned a set of roles that it
> is allowed to assume. So, even though a specific user might have
> "admin" and "user" permissions, you can specify in the "oauth client"
> role mapping that the "oauth client" is only allowed to assume "user"
> permissions. Please read the linked documentation and get back to this
> list if you have more questions.
> FYI, because our OAuth2 code reuses and is built on top of JBoss's
> existing Security Domain APIs there's only so much flexibility that can
> be provided. In the future, I have plans to leverage the new IDM API in
> AS8 so that you can do more complex role mappings and OAuth2 scopes .
> Right now you're limited to what the documentation specifies. Please
> get back to me. I want to know if what we have is good enough for now,
> or if it is unusable.
> On 4/16/2013 9:17 AM, Doug Schnelzer wrote:
> > Thanks. As a follow up, I'd like to request a bearer token but limit
> > the Roles identified in the bearer token. I'm looking
> > at org.jboss.resteasy.example.oauth.ProductDatabaseClient. Would it be
> > right to look that the Access Token Scope to try and accomplish this.
> > What I'm trying to do is have a set of REST services protected using
> > the @RolesAllowed and a less sensitive role. Even though the Resource
> > Owner may have access to more sensitive roles, I don't wan the bearer
> > token being given to the client to have all of these roles. I'm working
> > my way through
> > org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and mapping
> > to the OAuth2 spec, but would welcome any guidance pointing me in the
> > right direction.
> Bill Burke
> JBoss, a division of Red Hat
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Resteasy-users mailing list