What is currently missing?
Unless I'm mistaken, the OAuth2 authentication and authorization mechanism only allows to grant access depending on the verb of the API used (GET, PUT...) and the role of the user, without the ability to set a resource pattern.
{"GET": ["schema:read", "subject:read"], "POST": ["schema:write", "subject:write"], "PUT": [], "DELETE": []}
This is limiting as it does not allow the setting of fine-grained permissions, as can be done via the authorization file and Basic Auth.
How could this be improved?
Please consider supporting finer-grained permissions for OAuth access.
For example, by fetching the permissions from a permissions claim.
sasl_oauthbearer_permissions: List[TypedDict('ACLEntry', {'operation': str, 'resource': str})] = [{"operation":"Read","resource":"Subject:general.*"},{"operation":"Read","resource":"Config:"}]And perhaps alternatively by mapping the sub claim to the permissions of a username in the authorization file, which does not yet seem to be the case.
What is currently missing?
Unless I'm mistaken, the OAuth2 authentication and authorization mechanism only allows to grant access depending on the verb of the API used (GET, PUT...) and the role of the user, without the ability to set a resource pattern.
{"GET": ["schema:read", "subject:read"], "POST": ["schema:write", "subject:write"], "PUT": [], "DELETE": []}This is limiting as it does not allow the setting of fine-grained permissions, as can be done via the authorization file and Basic Auth.
How could this be improved?
Please consider supporting finer-grained permissions for OAuth access.
For example, by fetching the permissions from a
permissionsclaim.And perhaps alternatively by mapping the
subclaim to the permissions of ausernamein the authorization file, which does not yet seem to be the case.