OAuth access and privacy
Hi everybody,
One of our users requested to be allowed to have access to our CLM by using OAuth (he's developing an application).
https://jazz.net/wiki/bin/view/Main/AppSdkDelegatingAuth#OAuth_Overview
I have investigated this and I have found out that there are several things that are not well defined (described):
1) How to limit the access of such an application ( for example allow only to a specific project area BUT not breaking the privacy of the rest of the project areas)
2) How to define the rights that this application will have (allow create work items, but deny create project area or deny create users) ?
3) How can we track the usage of such OAuth authentication? (In case we need to make a statistic of how many calls per week/day/month etc.)
4) License usage (how to assign a license for such a call etc.)
I'm asking these because these are quite important for my organization.
Thank you in advance,
Dacian
One of our users requested to be allowed to have access to our CLM by using OAuth (he's developing an application).
https://jazz.net/wiki/bin/view/Main/AppSdkDelegatingAuth#OAuth_Overview
I have investigated this and I have found out that there are several things that are not well defined (described):
1) How to limit the access of such an application ( for example allow only to a specific project area BUT not breaking the privacy of the rest of the project areas)
2) How to define the rights that this application will have (allow create work items, but deny create project area or deny create users) ?
3) How can we track the usage of such OAuth authentication? (In case we need to make a statistic of how many calls per week/day/month etc.)
4) License usage (how to assign a license for such a call etc.)
I'm asking these because these are quite important for my organization.
Thank you in advance,
Dacian
Accepted answer
HI Dacian,
my understanding of oAuth has always been that it is a supplement to the standard user/password authentication/authorization. All of what you describe above is I would say controlled by the later.
I see oAuth as allowing the Application access. But that is not enough, a user must also authenticate. If the oAuth dance fails, you don't get an opportunity to login - you won't even get the login dialog. If it succeeds, then you login and get to see what services are available to your user.
This is based on my observations of how the DOORS OSLC integrations work. Maybe there is more to it and I could be wrong but I thought I would share anyway.
HTH
Maeve
Comments
That is basically right ... oAuth is just a way of authenticating, and once you have successfully authenticated via oAuth, you will be logged in as a given Jazz user, with only the rights of that user (i.e. no different than if you had logged in as that user via the Eclipse client, the Visual Studio client, the command line, or the web browser client.
Thank you Maeve OReilly and Geoffrey Clemm. Now it's clear for me!