Delegate Credentials Use Case
Status: Proposed This Use Case has been submitted as a new entry to the Use Cases Catalog. It has not yet been validated or reviewed.
Title: Two Party Delegation
Use Case Description: With delegation technologies, the service provider issues delegation credentials that are tailored for access to data and/or processes limited to third-party service, but exclude access rights to anything else, such as user settings and controls. With delegations, should malicious third party activities occur, the primary service revokes the delegated credential, while the user credential remains valid. At the same time, the user is protected from Denial of Service (DoS) attacks. Delegations of a service should also be time constrained by limiting the access of a third-party service to the time necessary to perform the delegated service. ( NISTIR 7817 Section 2.1.1 )
Use Case Category: Authentication
Contributor: Scott Shorter extracted from NISTIR 7817
Use Case Details
Actors:
- Service Provider - issues delegation credentials
- Third-party Service - accesses data and/or processes authorized for the delegation credentials issued to them.
- User - has a full account with Service Provider, wishes to grant access to Third-party Service.
Goals: Authorize limited access of information or processes to a third party.
Assumptions:
- User can authenticate to Service Provider
- Third-Party Service does not have Delegated Credentials for User yet
Requirements:
Process Flow:
- User accesses Third-Party Service which wants data from Service Provider
- Third-Party Service requests Delegated Credentials for User
- Service Provider obtains User consent for delegation
- Service Provider grants Delegated Credentials to Third-Party Service
Success Scenario: Third Party Service can access limited User data from Service Provider
Error Conditions: Third-Party Service forges User consent for Delegation
Relationships
- Extended by:
- Extends: