Permalink
Browse files

Explain Scoping

  • Loading branch information...
1 parent 242ad56 commit 58b121d9f71577e607e94b514ea321c823f705c9 @bipthelin bipthelin committed Nov 14, 2012
Showing with 25 additions and 3 deletions.
  1. +22 −0 README.md
  2. +1 −1 src/oauth2.erl
  3. +2 −2 test/oauth2_tests.erl
View
@@ -25,6 +25,28 @@ An expired token cannot be used to gain access to resources.
A token is associated with an *identity* -- a value that uniquely identifies
a user, client or agent within your system. Typically, this is a user identifier.
+### Scope
+The scope is handled by the backend implementation. The specification outlines
+that the scope is a space delimetered set of parameters. This library
+has been developed with the following in mind.
+
+Scope is implemented as a set and loosely modeled after the Solaris RBAC priviliges, i.e.
+`solaris.x.*` and implemented as a [MAC](http://en.wikipedia.org/wiki/Mandatory_access_control)
+with the ability to narrow the scope but not extend it beyond the predefined scope.
+
+There is a utility module to work with scope. The recommendation is to pass
+a Scope as a list of binaries, i.e. `[<<"root.a.c.b">>, <<"root.x.y.z">>]`
+you can then validate these against another set like:
+
+``` erlang
+> oauth2_priv_set:is_subset(oauth2_priv_set:new([<<"root.a.b">>, <<"root.x.y">>]), oauth2_priv_set:new([<<"root.*">>])).
+true
+> oauth2_priv_set:is_subset(oauth2_priv_set:new([<<"root.a.b">>, <<"root.x.y">>]), oauth2_priv_set:new([<<"root.x.y">>])).
+false
+> oauth2_priv_set:is_subset(oauth2_priv_set:new([<<"root.a.b">>, <<"root.x.y">>]), oauth2_priv_set:new([<<"root.a.*">>, <<"root.x.y">>])).
+true
+```
+
### Clients
If you have many diverse clients connecting to your service -- for instance,
a web client and an iPhone app -- it's desirable to be able to distinguish
View
@@ -44,7 +44,7 @@
%%% Exported types
-type token() :: binary().
-type lifetime() :: non_neg_integer().
--type scope() :: binary().
+-type scope() :: list(binary()) | binary().
-type error() :: invalid_request | unauthorized_client
| access_denied | unsupported_response_type
| invalid_scope | server_error
View
@@ -31,7 +31,7 @@
%%% Placeholder values that the mock backend will recognize.
-define(USER_NAME, <<"herp">>).
-define(USER_PASSWORD, <<"derp">>).
--define(USER_SCOPE, <<"xyz">>).
+-define(USER_SCOPE, [<<"xyz">>]).
-define(RESOURCE_OWNER, <<"user">>).
-define(CLIENT_ID, <<"TiaUdYODLOMyLkdaKkqlmhsl9QJ94a">>).
@@ -55,7 +55,7 @@ bad_authorize_password_test_() ->
oauth2:authorize_password(
<<"herp">>,
<<"derp">>,
- <<"xyz">>)),
+ [<<"xyz">>])),
?_assertMatch({error, access_denied},
oauth2:authorize_password(
<<"herp">>,

0 comments on commit 58b121d

Please sign in to comment.