Resource Owner restricting their own access
elf-pavlik opened this issue · 0 comments
I recall various conversations about scenarios where the user would like to restrict their own access. While specification doesn't seem to prevent Resource Owner from creating Social Agent registration for oneself. At least in sai-js, currently we don't check if it exists and if it does delegate those grants to applications rather than create direct data grants.
If we clarify use cases where such functionality is expected. We should at least mention them in the Authorization Agent primer and update implementations (at least sai-js).
Of course, being a Resource Owner one can always escalate one's own privilege, still in some scenarios having that chmod like step required can prevent some unexpected results.