Skip to content

Capabilities

Mytokens can be used for performing different actions at the mytoken server. Capabilities are used to define which actions can be done with a Mytoken. Capabilities can have sub-capabilities and might allow only read access or full access:

  • A capability with the read@ prefix only allows read access, but no modifications, while capabilities without this prefix allow full access including modifications.
  • Capabilities can have sub-capabilities and form a "path". A parent capability includes all its children, e.g. tokeninfo includes tokeninfo:introspect and all other tokeninfo:* capabilities.
    • The colon : is used as a path separator in path-ed capabilities.

The following capabilities are defined:

Capability Description Comment
AT Allows obtaining Access Tokens at the access token endpoint.
tokeninfo Allows to query the tokeninfo endpoint to obtain information about this token. Includes all tokeninfo:* capabilities, namely tokeninfo:introspect, tokeninfo:subtokens, tokeninfo:history.
tokeninfo:introspect Allows to query the tokeninfo endpoint to obtain basic information about this token: Allows to check if the token is valid, the content of the token and its usages.
tokeninfo:history Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the event history for this token.
tokeninfo:subtokens Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the tree of sub-tokens.
manage_mytokens Allows to perform all actions for managing other mytokens. This capability does not allow to list the actual mytokens.
manage_mytokens:list Allows to list metadata for all Mytokens, this includes the mom id needed for other actions. This capability does not allow to list the actual mytokens.
manage_mytokens:revoke Allows to revoke any token by its mom id. See token revocation for more details.
manage_mytokens:history Allows to obtain event history for any token by its mom id. See event history for more details.
create_mytoken Allows to create a new Mytoken. Mytoken servers MUST NOT allow privilege escalation. I.e. the restrictions of the new token MUST be at least as tight as the restrictions of the original token. Also the new token MUST only have capabilities that are allowed for subtokens of the original token.
settings Allows to adapt the users settings This capability includes all settings:* capabilities and it is powerful, since it allows control over allowed grant types.
settings:grants Allows to adapt the users grants This capability includes all settings:grants:* capabilities and it is powerful, since it allows control over allowed grant types.
settings:grants:ssh Allows to adapt the ssh user grant

Furthermore, all settings capabilities can be used with the read@ prefix:

Capability Description Comment
read@settings Allows to read the users settings This capability includes all read@settings:* capabilities.
read@settings:grants Allows to read the users grants This capability includes all read@settings:grants:* capabilities. It allows to list the enabled / disabled user grants.
read@settings:grants:ssh Allows to read the ssh user grant This capability allows to list a user's ssh keys.

Last update: July 20, 2023 09:45:00
Back to top