So you want to specify user, client-id, and their credentials and get
back a token that is limited to what the client-id is allowed to get?
All in one request? I don't have an API for this at the moment.
On 4/16/2013 11:50 AM, Doug Schnelzer wrote:
> So continuing to peel back the onion... and getting somewhere...
> Thanks for the pointers. I re-read the docs especially around
> I noticed that the commerce-roles.properties for the current OAuth2
> examples has the following:
> bbu...@redhat.com <mailto:bbu...@redhat.com>=user,products
> I see that the oauth-client-example project is using the client-id
> "third-party" which is specified in
> the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized().
> What I want to do is to get a bearer tokan programmatically as is done
> in as is done in the client-grant example
> (i.e. org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
> ) but I want to specify the client-id so that I can limit the roles that
> are encoded in the bearer token. My assumption is that
> since org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts()
> is using basic authentication to the auth server that the bearer token
> returned will have all roles for bbu...@redhat.com
> So my question is can I easily modify the
> ProductDatabaseClient.getProducts() so that I am specifying a client-id
> for the resulting bearer token and if so can you point at the right part
> of the API that I should be looking at?
> Thanks much,
> On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke <bbu...@redhat.com
> <mailto:bbu...@redhat.com>> wrote:
> OAuth2 does not define the token format. We have defined our own token
> format that transmits signed role-mapping metadata.
> Check this out:
> An "Oauth client" in skeleton key can be assigned a set of roles that it
> is allowed to assume. So, even though a specific user might have
> "admin" and "user" permissions, you can specify in the "oauth client"
> role mapping that the "oauth client" is only allowed to assume "user"
> permissions. Please read the linked documentation and get back to this
> list if you have more questions.
> FYI, because our OAuth2 code reuses and is built on top of JBoss's
> existing Security Domain APIs there's only so much flexibility that can
> be provided. In the future, I have plans to leverage the new IDM API in
> AS8 so that you can do more complex role mappings and OAuth2 scopes .
> Right now you're limited to what the documentation specifies. Please
> get back to me. I want to know if what we have is good enough for now,
> or if it is unusable.
> On 4/16/2013 9:17 AM, Doug Schnelzer wrote:
> > Thanks. As a follow up, I'd like to request a bearer token but limit
> > the Roles identified in the bearer token. I'm looking
> > at org.jboss.resteasy.example.oauth.ProductDatabaseClient. Would
> it be
> > right to look that the Access Token Scope to try and accomplish this.
> > What I'm trying to do is have a set of REST services protected
> > the @RolesAllowed and a less sensitive role. Even though the
> > Owner may have access to more sensitive roles, I don't wan the bearer
> > token being given to the client to have all of these roles. I'm
> > my way through
> > org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and
> > to the OAuth2 spec, but would welcome any guidance pointing me in the
> > right direction.
> Bill Burke
> JBoss, a division of Red Hat
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> Resteasy-users mailing list
JBoss, a division of Red Hat
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Resteasy-users mailing list