input from Michiel

[michielbdejong]

user uses browser to visit a web app web app redirects the user to log in to IDP/auth-server and get a bearer token (could be repeated for JIT auth) IDP/auth-server redirects the user back to the web app web app uses the bearer token to access some storage server? questions:

1. which resources does the web app get read/write/append/control access to?
2. how does the web app tell the IDP/auth-server which access scopes they request?
3. how does the user tell the IDP/auth-server about their decision?
4. how does the IDP/auth-server communicate the user's decision to the storage server?

I (Michiel) think about 4., the best way to do that would have to be some way represented inside the bearer token, right?

3. is a UX problem, and very difficult.

4. is related to 3. but additionally needs some standardization

5. • currently we only say read/write/append/control all or nothing. other dimensions could be per document (but should the user understand file paths? and is that safe?), or type of document / domain, or context of the data

[jaxoncreed]

Pros and Cons to putting permissions in the Bearer token

PROS

• No need for the IDP to interact with the storage server

CONS

• Assumes that the IDP has responsibility over access control
• Must authenticate on each device (though perhaps it could be stored on the idp)

[michielbdejong]

we should have a server-side, revokable, representation of the user's decision