oauth app permission

[byteplow]

current

every authenticated user, can use oauth with any app/client

goal

• Users should only be able to use oath if they have the correct permission.
• There should also be apps which do not need permission

task

• check that oauth still works after refactoring
• check user permission
• provisioning tool for client and apps
• ui / cli to mange user and group permissions

design

• ory keto manages app permissions
• client#access@(app#access) => every one with access to the app, also has the access to the client
• app#access@user/group/* => *,users or groups can have access to an app
• • => every one
• during authentication the users access permissions for the client are checked => client#access@user
• also the relation client#access@* is checked. If it true every one can access the client