Granular scopes/permissions in ACS OAUTH token issuing


In addition to specifying the nameid to be subsequently placed in the JWT issued from the ACS OAUTH token issuing endpoint one can specify one or more “permission strings”. The strings to be registered can (and probably should) come from  the consent URI; with consent using the websso session to determine whether such an application-permission should be granted. Note that this is nothing to do with “scope” used in the OAUTH protocol itself (which is tantamount to an RP, in the ACS model).

image

http://social.msdn.microsoft.com/Forums/windowsazure/en-US/5cfd442d-e815-4bad-a708-3ecc6650dd34/oauth-and-acs-how-can-we-implement-different-levels-of-consent

Concerning scope however, note where the permissions fields are eventually placed within the issued token:

image

http://msdn.microsoft.com/en-us/library/windowsazure/hh180762.aspx

Looking at an example using the SWT (not JWT) blob format:, we see:

image

http://msdn.microsoft.com/en-us/library/gg193416.aspx#ASPNET

We can presume that the permission string is expressed as one of the scope field values in the JWT case (alongside the official scope ; the name of the ACS RP).

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in oauth. Bookmark the permalink.