Capabilities¶
Mytokens can be used for performing different actions at the mytoken server. Capabilities are used to define which actions
can be done with a Mytoken.
Capabilities can have sub-capabilities and might allow only read access or full access:
- A capability with the
read@prefix only allows read access, but no modifications, while capabilities without this prefix allow full access including modifications. - Capabilities can have sub-capabilities and form a "path". A parent capability includes all its children, e.g.
tokeninfoincludestokeninfo:introspectand all othertokeninfo:*capabilities.- The colon
:is used as a path separator in path-ed capabilities.
- The colon
The following capabilities are defined:
| Capability | Description | Comment |
|---|---|---|
AT |
Allows obtaining Access Tokens at the access token endpoint. | |
tokeninfo |
Allows to query the tokeninfo endpoint to obtain information about this token. | Includes all tokeninfo:* capabilities, namely tokeninfo:introspect, tokeninfo:subtokens, tokeninfo:history. |
tokeninfo:introspect |
Allows to query the tokeninfo endpoint to obtain basic information about this token: Allows to check if the token is valid, the content of the token and its usages. | |
tokeninfo:history |
Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the event history for this token. | |
tokeninfo:subtokens |
Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the tree of sub-tokens. | |
manage_mytokens |
Allows to perform all actions for managing other mytokens. | This capability does not allow to list the actual mytokens. |
manage_mytokens:list |
Allows to list metadata for all Mytokens, this includes the mom id needed for other actions. | This capability does not allow to list the actual mytokens. |
manage_mytokens:revoke |
Allows to revoke any token by its mom id. | See token revocation for more details. |
manage_mytokens:history |
Allows to obtain event history for any token by its mom id. | See event history for more details. |
create_mytoken |
Allows to create a new Mytoken. | Mytoken servers MUST NOT allow privilege escalation. I.e. the restrictions of the new token MUST be at least as tight as the restrictions of the original token. Also the new token MUST only have capabilities that are allowed for subtokens of the original token. |
settings |
Allows to adapt the users settings | This capability includes all settings:* capabilities and it is powerful, since it allows control over allowed grant types. |
settings:grants |
Allows to adapt the users grants | This capability includes all settings:grants:* capabilities and it is powerful, since it allows control over allowed grant types. |
settings:grants:ssh |
Allows to adapt the ssh user grant |
Furthermore, all settings capabilities can be used with the read@ prefix:
| Capability | Description | Comment |
|---|---|---|
read@settings |
Allows to read the users settings | This capability includes all read@settings:* capabilities. |
read@settings:grants |
Allows to read the users grants | This capability includes all read@settings:grants:* capabilities. It allows to list the enabled / disabled user grants. |
read@settings:grants:ssh |
Allows to read the ssh user grant | This capability allows to list a user's ssh keys. |
Last update:
July 20, 2023 09:45:00