Claims in Obsidian Management API

Introduce

Obsidian uses Token-based Authentication and Claims-based Authorization.

If user wants to access a manament API action, a JsonWebToken must be added into the request.JsonWebToken generated by Obsidian OAuth Server contains claims that user owns. Some claims represent user’s personal information, others represent permissions which user is endowed with.

Strictly speaking, A claim can not represent what a user can/can not do. However, if we want a user to be able to edit something, we can give it a claim that tells other it is an editor instead of a claim that contains what resource it can operate

In this section, we mainly list all available claims that can be given to user.

For claims represented user’s personal information, see Claims in Obsidian OAuth Server

Claims list

Type	ClaimType	Enables
User	http://schema.za-pt.org/Obsidian/ManagementAPI/User/IsCreator	Represents user can add a new user
User	http://schema.za-pt.org/Obsidian/ManagementAPI/User/IsAcquirer	Represents user can query any user’s information
User	http://schema.za-pt.org/Obsidian/ManagementAPI/User/UserName/IsEditor	Represents user can modify other user’s user name
User	http://schema.za-pt.org/Obsidian/ManagementAPI/User/Password/IsEditor	Represents user can modify other user’s password
User	http://schema.za-pt.org/Obsidian/ManagementAPI/User/Profile/IsEditor	Represents user can modify other user’s profile
User	http://schema.za-pt.org/Obsidian/ManagementAPI/User/Claims/IsEditor	Represents user can modify other user’s claim
Client	http://schema.za-pt.org/Obsidian/ManagementAPI/Client/IsCreator	Represents user can add a new client
Client	http://schema.za-pt.org/Obsidian/ManagementAPI/Client/IsAcquirer	Represents user can query information of a client
Client	http://schema.za-pt.org/Obsidian/ManagementAPI/Client/IsEditor	Represents user can modify a client
Client	http://schema.za-pt.org/Obsidian/ManagementAPI/Client/Secret/IsAcquirer	Represents user can query secret of a client
Client	http://schema.za-pt.org/Obsidian/ManagementAPI/Client/Secret/IsEditor	Represents user can modify secret of a client
Scope	http://schema.za-pt.org/Obsidian/ManagementAPI/Scope/IsCreator	Represents user can add a new permission scope
Scope	http://schema.za-pt.org/Obsidian/ManagementAPI/Scope/IsAcquirer	Represents user can query information of a permission scope
Scope	http://schema.za-pt.org/Obsidian/ManagementAPI/Scope/IsEditor	Represents user can modify a scope