API authentication
Brad Bishop
bradleyb at fuzziesquirrel.com
Mon Mar 18 21:35:04 AEDT 2019
I am looking for ideas on how to implement a mechanism to restrict access to
specific methods of a service/API (e.g. Redfish).
This would be orthogonal to role-based authorization - e.g. the authorization
would be provided by someone other than the system administrator - e.g. the
system manufacturer.
I think I want OAuth for this with these definitions:
resource owner: system manufacturer
client: any user of the API (could be application specific but not required)
resource: data flowing over the API being authorized
Could the system manufacturer authorize clients on non-internet connected BMCs?
Is there a better way to go about this?
Does anyone have any experience with something like this? I would love to be
pointed to further reading, code, or just your thoughts in general.
thx - Brad
More information about the openbmc
mailing list