Dear all,

for A&A, we need to modify the API in some places and introduce some new 
components. We have two cases:

(a) authentication against OpenSSO: should be done by the client application
(b) authorization against OpenSSO for ressource and action combinations

For (a), we need to transmit user credentials and obtain a token, while 
part (b) can be decomposed into:
(b1) client authorization request to the webservice: should be done by 
the client application
(b2) authorization request confirmation from webservice to OpenSSO: 
should be done by the webservice.

Following is my proposal for API changes / extensions, according to (a), 
(b1), and (b2):

(a)
REST operation		URL								Parameters			Response
Authentication		http://<server>/opensso/identity/authenticate			username 
password uri		200 + token / 401
Token validation 
http://<server>/opensso/identity/isTokenValid			tokenid				200 + boolean
Logout			http://<server>/opensso/identity/logout				subjectid			200 + void

(b1)
REST operation		URL								Parameters			Response
All			All								as before + tokenid		as before + 401

(b2)
REST operation		URL								Parameters			Response
Authorization		http://<server>/opensso/identity/authorize			uri action 
subjectid		200 + boolean / 401 + boolean


Note:
- (a) and (b2) are taken from 
http://blogs.sun.com/ideas/entry/opensso_webservices_rest_interfaces. 
More operations are supported by OpenSSO, but as a first step we would 
only need these.
- (b1) is a simple extension to all existing REST operations, adding a 
token field to the query string.

Furthermore, a policy management API is proposed in 
http://opentox.org/data/documents/development/Authentication%20and%20Authorization/AA%20based%20on%20OpenSSO, 

Hopefully, we can engage in a discussion.

Best regards
Andreas