[mitreid-connect] Bulk data access security under OIDC
Justin Richer
jricher at mit.edu
Thu Aug 6 09:10:51 EDT 2015
The client credentials grant type was created specifically for this use
case: a client acting on its own behalf. As such, I'd go with option 2.
You can lock the server down such that it can only give this special
scope to this one client and no other clients or users can access it.
-- Justin
On 8/5/2015 11:40 PM, Tony Fendall [DATACOM] wrote:
>
> Hello
>
> I have an existing web application which uses MITREid Connect and
> exposes a REST API. Currently passing access tokens to the REST API
> gives access only to the data of the current user (who own the access
> token). I want to extend this system and give a specific client
> access to data of all users, and am wondering how best to implement this.
>
> *Option 1:*
>
> Create a specific user account with ROLE_BULK_ACCESS, then generate an
> access token as this user. When holding this specific access token the
> client application can then inherit this bulk access role giving them
> access to the new end points.
>
> *Option 2:*
>
> Use client credentials (client id and secret) to generate a client
> access token. Give this client a specific “bulk access” scope which
> can then be used to control access to the new end points.
>
> Do either of those options sound like a reasonable solution? Any
> advice would be gratefully received.
>
> Thanks
>
> Tony Fendall
>
>
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150806/d8bb2d58/attachment.htm
More information about the mitreid-connect
mailing list