...
Frequently when updating a resource not only does the Calling Application need to be known, but the End User that is attempting to perform the update also needs to be known. Either one or both are needed to properly determine if the action is authorized, while both are needed for audit logging.
Real World Scenario: An Engineering web application needs to update the registrations status for a given student. The web application will need to call through the API Gateway to the Registrations service. The Registrations service will need to know who the client application is in order to limit the scope of students that can be updated (ie. the Engineering web app call only look up Engineering students). Since this is an update, the audit log will also need to show who the user was that made the update. The user isn't used for access scoping, just audit logging.
Goals
- All Goals from Usage: Application to Resource Server Requirements
- Provide a way to get identifying information for both the Client Application and the End User.
- This identifiers should be used for both authorization and audit logging.
- Define a policy on Token Lifespan of 9 hours for password grant.
...