So continuing to peel back the onion... and getting somewhere...
Thanks for the pointers. I re-read the docs especially around
http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454
I noticed that the commerce-roles.properties for the current OAuth2
examples has the following:
bbu...@redhat.com=user,products
admin=admin
customer-portal=login
product-portal=login
third-party=oauth,*
I see that the oauth-client-example project is using the client-id
"third-party" which is specified in
the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized(). What
I want to do is to get a bearer tokan programmatically as is done in as is
done in the client-grant example
(i.e. org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
) but I want to specify the client-id so that I can limit the roles that
are encoded in the bearer token. My assumption is that
since org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
is using basic authentication to the auth server that the bearer token
returned will have all roles for bbu...@redhat.com.
So my question is can I easily modify the
ProductDatabaseClient.getProducts() so that I am specifying a client-id for
the resulting bearer token and if so can you point at the right part of the
API that I should be looking at?
Thanks much,
Doug
On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke <bbu...@redhat.com> wrote:
> OAuth2 does not define the token format. We have defined our own token
> format that transmits signed role-mapping metadata.
>
> Check this out:
>
>
> http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454
>
> An "Oauth client" in skeleton key can be assigned a set of roles that it
> is allowed to assume. So, even though a specific user might have
> "admin" and "user" permissions, you can specify in the "oauth client"
> role mapping that the "oauth client" is only allowed to assume "user"
> permissions. Please read the linked documentation and get back to this
> list if you have more questions.
>
> FYI, because our OAuth2 code reuses and is built on top of JBoss's
> existing Security Domain APIs there's only so much flexibility that can
> be provided. In the future, I have plans to leverage the new IDM API in
> AS8 so that you can do more complex role mappings and OAuth2 scopes .
> Right now you're limited to what the documentation specifies. Please
> get back to me. I want to know if what we have is good enough for now,
> or if it is unusable.
>
> On 4/16/2013 9:17 AM, Doug Schnelzer wrote:
> > Thanks. As a follow up, I'd like to request a bearer token but limit
> > the Roles identified in the bearer token. I'm looking
> > at org.jboss.resteasy.example.oauth.ProductDatabaseClient. Would it be
> > right to look that the Access Token Scope to try and accomplish this.
> > What I'm trying to do is have a set of REST services protected using
> > the @RolesAllowed and a less sensitive role. Even though the Resource
> > Owner may have access to more sensitive roles, I don't wan the bearer
> > token being given to the client to have all of these roles. I'm working
> > my way through
> > org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and mapping
> > to the OAuth2 spec, but would welcome any guidance pointing me in the
> > right direction.
> >
> >
> >
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Resteasy-users mailing list
Resteasy-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/resteasy-users
