[Openid-specs-heart] How do you define a resource set?
Vivek Biswas
vivek_biswas at yahoo.com
Fri Jul 1 21:25:33 UTC 2016
A lot of work has been done in
https://docs.oasis-open.org/xspa/saml-xspa/v2.0/saml-xspa-v2.0.htmland also in
http://docs.oasis-open.org/xacml/xspa/v1.0/xacml-xspa-1.0.html
defining various identifiers.
Some of these identifiers can be re-used/re-purposed for defining scopes around resources.
CheersVivek Biswas, CISSPConsulting Member at Oracle
From: Justin Richer <jricher at mit.edu>
To: Debbie Bucci <debbucci at gmail.com>
Cc: "openid-specs-heart at lists.openid.net" <openid-specs-heart at lists.openid.net>
Sent: Friday, July 1, 2016 1:55 PM
Subject: Re: [Openid-specs-heart] How do you define a resource set?
No, I think you’re reading it correctly. The RS defines what the resources are, and it communicates the the AS the protection mechanisms around that. So it can say “I have these resource sets”, and it can also say “this resource set has these scopes associated with it”. But it’s up to the API definition (FHIR in our case) to decide what actually goes into the sets themselves. It’s up to either the API definition or a security profile (like what we’re doing here in HEART) to define the mapping between scopes and resulting actions/data. But it’s always up to the RS to enforce these.
The UMA standard also has “resource set type” but those types aren’t defined or really used anywhere to my knowledge. We could, as part of our profile work, define resource set types based around FHIR resources as well as the scopes associated with them.
— Justin
On Jul 1, 2016, at 4:17 PM, Debbie Bucci <debbucci at gmail.com> wrote:
In an effort to move things along, I was going to attempt to define a resource set or two. Is https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html the right documents to reference ? Boy did i have things backasswords!
This document describes how to post/get/update/delete the overall resource set name, but I am having a bit of difficulty understanding what resources are actually in that set. Given that is defined on the RS - perhaps the AS would never know nor could it make fine grained decisions on an element within the set. Instead the AS could consent or deny to share based on AIDs or Mental diagnosis but it would be up to the RS to understand how to translate how those decisions are made.
This helps better explain to me how the AS could configure/register/interact with a different RS *on the fly*. So, based on skimming the reference, our profile will suggest resource set names for subsets of data that we believe a consumer would want to authorize and potentially additional scopes not included as part of the FHIR/OAUTH Profile. Even those would be dependent on what the RS is willing or could technically support.
I'm missing something ... right?
Deb
_______________________________________________
Openid-specs-heart mailing list
Openid-specs-heart at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-heart
_______________________________________________
Openid-specs-heart mailing list
Openid-specs-heart at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-heart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160701/53db2d35/attachment.html>
More information about the Openid-specs-heart
mailing list