The privileges necessary to support the org model will be assigned to users on the basis of their adminOfOrg and ownerOfOrg relationships. This means:
- The augmentSecurityContext must be invoked from the rs filter. It should be invoked regardless of how a "user" was authenticated, and even in the case when user-authentication by all configured means failed.
- The HTTP Request object should be bound in script scope as it is in the traditional CAF-based augmentation invocation.
- The augmentation script should have access to the oauth2 token introspection result. This may be achieved by verifying that context.oauth2.rawInfo resolves properly beneath the context script binding, or we may possibly need to add an additional script binding to facilitate this.
- The user resource that matched the subject mapping should be bound in script context as resource.
- The config surface must be enhanced to specify 'other fields' in the user to be queried in order to provide additional non-returned-by-default fields for consideration by security context augmentation. This field will be an array of fields. Specifically, for the org model, will consist of the adminOfOrg and ownerOfOrg relationship fields.