Skip to content
This repository has been archived by the owner on Aug 25, 2023. It is now read-only.

Add "owner" to AuthorizationCredential #23

Open
llorllale opened this issue Jul 29, 2020 · 2 comments
Open

Add "owner" to AuthorizationCredential #23

llorllale opened this issue Jul 29, 2020 · 2 comments
Labels
authz

Comments

@llorllale
Copy link
Contributor

We're recently dones some changes:

The first change moves us in the more direction of authorization to a generic resource, not just simply authenticating the user. The second change furthers this by distinguishing the resource owner from the subject of the resource.

We're missing a way to express who authorized this access. We should add an ownerDID claim.

ownerDID != subjectDID when the resource is NOT a set of claims about the party that authorized access. Eg. Acme Bank authorizes IRS access to credit card statements about Eve.
@llorllale llorllale added question Further information is requested and removed question Further information is requested labels Jul 29, 2020
@llorllale llorllale mentioned this issue Jul 29, 2020
Open
@troyronda
Copy link
Contributor

Which term from UMA do you feel is closest to the above?

@llorllale
Copy link
Contributor Author

@troyronda UMA defines the term "resource owner":

resource owner
An OAuth resource owner that is the "user" in User-Managed Access. This is typically an end-user (a natural person) but it can also be a corporation or other legal person.

We could use "resourceOwner", but I'd be fine with "owner" as well.

This was referenced Jul 29, 2020
Merged
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
authz
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@troyronda @llorllale