Use Cases
Example of VOOT in real life use cases.
Example of VOOT in real life use cases.
User A wants to protect a resource at a Service Provider, and decides to setup a access control list.
User chooses to associate an access rule with a remote group; and first 'hooks up' with that remote group. As this is the first time the user connects to this remote group provider (from this service provider), an OAuth flow needs to happen.
Then the service provider do an OAuth signed request `isMemberOf()` that returns the list of groups that the current user is member of.
The user selects one of the groups, and the service provider request the members of that group with `getGroupMembers()` which returns a list of names and email addresses, that is shown in the user interface.
The user decides to give access to the resource to all members of that group. The service provider then stores something like:
* Grant access to resource X for members of groupid=`XYZ-123456` from provider=`https://groups.renater.fr/`
When User B wants to access the resource, and User B is already member of the relevant group; the following will happen:
Now the Service Provider request the list of groups the user is member of from that provider using `isMemberOf()`, and checks the result with the access control list.
If it does not yield any result, and there are more group providers, this may be repeated for each group provider, and in the end, the user will either have access, or get a final *Access Denied* message.
A user (user A) of a web-based collaboration service would like to interact with another user (user B) through this service, where the other user (user B) does not yet have a local account. User A already manage a group including user B. The service should be able to retrieve a list of all users within the groups that user A is member of. The list of users should include display name and email address. The display names is used to present the list of users to the user, and the email address is used if User A would like to invite other users to access a resource.
Associating other users with local accounts is not part of this use case. If user A invites user B; the service should include an invitation token in the invitation email, or make use of other methods to map the invited user to an account.
An e-mail list server can be configured, and trusted, to retrieve (pull) back-channel a list of all members of a group, including display names and email addresses.
The list server may be trusted to retrieve this information using two-legged OAuth; or it could make use of three legged OAuth, where the list administrator will have the access token to retrieve the list associated with his/her account.