This page is starting as a collection of notes, design decisions, etc. related to implementing OAuth2 into Synapse. Part of the process has included considerations about developing our own library, or using an off-the-shelf solution like ORY Hydra. The information on this page may change as the project evolves.
...
- How granular do we expect scope must be?
- Do Read/Edit/Write permissions cover all use cases?
- Do permissions need to be set on the entity level?Can
- e.g. can we afford to make all cases "this external app can read everything you have access to" vs
- this external app can read "syn123, a file in project syn999"
Basic OAuth or OAuth-like flow (authorization grant only, no external tools)
...
Diagram from the above presentation, edited to show where these API endpoints would be used:
Database models: what do we need to store?
TBD
What is "scope"?
JIRAs(?):
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
The administrative port should not be exposed to public internet traffic. If you want to expose certain endpoints, such as the
/clientsendpoint for OpenID Connect Dynamic Client Registry, you can do so but you need to properly secure these endpoints with an API Gateway or Authorization Proxy.
Do we need this?
Spring Security
...