Skip to content

Capabilities

Mytokens can be used for performing different actions at the mytoken server. Capabilities are used to define which actions can be done with a Mytoken. Capabilities can have sub-capabilities and might allow only read access or full access:

  • A capability with the read@ prefix only allows read access, but no modifications, while capabilities without this prefix allow full access including modifications.
  • Capabilities can have sub-capabilities and form a "path". A parent capability includes all its children, e.g. tokeninfo includes tokeninfo:introspect and all other tokeninfo:* capabilities.
    • The colon : is used as a path separator in path-ed capabilities.

The following capabilities are defined:

Capability Description Comment
AT Allows obtaining Access Tokens at the access token endpoint.
tokeninfo Allows to query the tokeninfo endpoint to obtain information about this token. Includes all tokeninfo:* capabilities, namely tokeninfo:introspect, tokeninfo:subtokens, tokeninfo:history.
tokeninfo:introspect Allows to query the tokeninfo endpoint to obtain basic information about this token: Allows to check if the token is valid, the content of the token and its usages.
tokeninfo:history Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the event history for this token.
tokeninfo:subtokens Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the tree of sub-tokens.
list_mytokens Allows to list all Mytokens, in the form of metadata. This capability does not allow to list the actual mytokens.
create_mytoken Allows to create a new Mytoken. Mytoken servers MUST NOT allow privilege escalation. I.e. the restrictions of the new token MUST be at least as tight as the restrictions of the original token. Also the new token MUST only have capabilities that are allowed for subtokens of the original token.
settings Allows to adapt the users settings This capability includes all settings:* capabilities and it is powerful, since it allows control over allowed grant types.
settings:grants Allows to adapt the users grants This capability includes all settings:grants:* capabilities and it is powerful, since it allows control over allowed grant types.
settings:grants:ssh Allows to adapt the ssh user grant
revoke_any_token Allows to revoke any token by its revocation id. See token revocation for more details.

Furthermore, all settings capabilities can be used with the read@ prefix:

Capability Description Comment
read@settings Allows to read the users settings This capability includes all read@settings:* capabilities.
read@settings:grants Allows to read the users grants This capability includes all read@settings:grants:* capabilities. It allows to list the enabled / disabled user grants.
read@settings:grants:ssh Allows to read the ssh user grant This capability allows to list a user's ssh keys.

Last update: October 20, 2022 08:46:51
Back to top