Capabilities¶
Mytokens can be used for performing different actions at the mytoken server. Capabilities are used to define which actions
can be done with a Mytoken.
Capabilities can have sub-capabilities and might allow only read access or full access:
- A capability with the
read@prefix only allows read access, but no modifications, while capabilities without this prefix allow full access including modifications. - Capabilities can have sub-capabilities and form a "path". A parent capability includes all it childrens, e.g.
tokeninfoincludestokeninfo:introspectand all othertokeninfo:*capabilities.- The colon
:is used as a path separator in path-ed capabilities.
- The colon
The following capabilities are defined:
| Capability | Description | Comment |
|---|---|---|
AT |
Allows obtaining Access Tokens at the access token endpoint. | |
tokeninfo |
Allows to query the tokeninfo endpoint to obtain information about this token. | Includes all tokeninfo:* capabilities, namely tokeninfo:introspect, tokeninfo:subtokens, tokeninfo:history. |
tokeninfo:introspect |
Allows to query the tokeninfo endpoint to obtain basic information about this token: Allows to check if the token is valid, the content of the token and its usages. | |
tokeninfo:history |
Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the event history for this token. | |
tokeninfo:subtokens |
Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the tree of sub-tokens. | |
list_mytokens |
Allows to list all Mytokens, in the form of metadata. | This capability does not allow to list the actual mytokens. |
create_mytoken |
Allows to create a new Mytoken. | Mytoken servers MUST NOT allow privilege escalation. I.e. the restrictions of the new token MUST be at least as tight as the restrictions of the original token. Also the new token MUST only have capabilities that are allowed for subtokens of the original token. |
settings |
Allows to adapt the users settings | This capability includes all settings:* capabilities and it is powerful, since it allows control over allowed grant types. |
settings:grants |
Allows to adapt the users grants | This capability includes all settings:grants:* capabilities and it is powerful, since it allows control over allowed grant types. |
settings:grants:ssh |
Allows to adapt the ssh user grant | |
revoke_any_token |
Allows to revoke any token by its revocation id. | See token revocation for more details. |
Furthermore, all settings capabilities can be used with the read@ prefix:
| Capability | Description | Comment |
|---|---|---|
read@settings |
Allows to read the users settings | This capability includes all read@settings:* capabilities. |
read@settings:grants |
Allows to read the users grants | This capability includes all read@settings:grants:* capabilities. It allows to list the enabled / disabled user grants. |
read@settings:grants:ssh |
Allows to read the ssh user grant | This capability allows to list a user's ssh keys. |
Last update:
August 23, 2022 06:19:07