Differences

This shows you the differences between two versions of the page.

--- projects:member_portal:home [2025/10/06 15:47] – samp20
+++ projects:member_portal:home [2025/10/06 15:49] (current) – samp20
@@ Line 2: / Line 2: @@
 This is a project driven by @samp20 to build a new member portal to provide Single-Sign-On (SSO) to other Hackspace services.
+<nspages -tree -r=2 -exclude -subns -pagesInNs -h1 -textNs="" -pregPagesOff="/home/i">
 ===== Architecture =====
 The current proposed architecture is a Python Flask application with PostgreSQL as the backend database.
-===== Permissions model =====
-Permissions shall be granted through OAuth scopes or other custom claims. As these claims can sometimes be application specific, a general purpose approach is proposed using Members, Roles and ClaimSets with the following relationships:
-  * Many-to-many between Members and Roles
-  * One-to-many between Roles and ClaimSets
-A Role describes a high-level role a member has, for example "onboarding". A ClaimSet describes the specific OAuth claims associated with that role. The reason for separating ClaimSets from Roles is to be able to limit a ClaimSet to a single OAuth client without requiring a member to join multiple Roles if that Role involves multiple clients.
-An example ClaimSet for Grafana access to the "viewer" team may look like the following:
-<code>
-{
-    "scope": ["openid", "email"],
-    "groups": ["viewer"]
-}
-</code>
-This ClaimSet would be restricted to the Grafana OAuth client in order to avoid granting the "openid" scope to other clients and inadvertently giving access to them.