Thanks Pat that is a very good summary.
It seems that the pattern is that there is "installing", then
"enabling", then "invoking". Workflow servers usually allow some way
for a process to be installed, and this is no difference in the secure
environment. Enabling must happen synchronously with the user being
present. During enabling, OAuth protocol is used to gather all the
access tokens that will be needed by the process. After a process is
enabled, instances of the process can be invoked and can run
asynchronously without the user being available at the time.
This can happen in different orders in some cases, but normally will
be "installing", then "enabling", then "invoking".
These can be done by the same person, or by different people. It is
possible that a process definition is installed once, the definition
is enabled once, and then many instances run. Or it might be that it
is installed once, and then enabled every time it is invoked. It is
possible for enabling to happen after invoking, and it is possible
that enabling will be done uniquely for each instance. It is also
possible that a single process definition may be enabled by multiple
people, and those multiple enablements will need to be preserved, but
when invoked, only one enablement will be involved with with the
running process. Finally, it is possible (although I think unlikely)
that different people may enable different parts of a process, and it
is not necessary that all part of the process be enabled at the same
time. All of these patterns depend upon the requirements.
The workflow process acts on behalf of the person who enables it.
Thus is Joe enables it, then it will make requests that will see
things that is a subset of what Joe has access to. The process can
not be enabled to see things that the enabler does not have access
to. The services being called from the workflow know with certainty
who the person was who enabled the interactions.
When I speak above of "processes" being enabled, I really mean a
bigger collection. Lets call it an "application". Enablement will
typically happen for an application, and there may be many process
definitions in an application. An application, however, is a unit
that someone can be responsible for. Typically an application will be
installed at one time in its entirety, but there is no reason to
prevent partial installations.
The enabling step uses OAuth exactly as designed. The result of an
OAuth interaction is an access token. Workflows that invoke secure
services need to be able to store those tokens that are collected
during enablement, so they can be used at run time. Workflow that
expect to be invoked securely need to be able to generate such tokens,
and remember them, together with the user that authorized them, so
that this can be verified when called. None of this is surprising
since the purpose of an OAuth interaction is to exchange an access
token, and so this handling of the access token is expected.
You can think of this "enablement" as the "preapproving of
transactions" if you wish.
-Keith