As a customer, I want to grant the paid eZ Support or Consultants a remote access to:

• Reproduce errors
• Review settings and configuration
• Give advise and help users and administrators to work with the system
• Retrieve data by using scripts and sending them back to our service units

eZ will have a special user with a special set of access and usage rights. This account is by default disabled and has no password. Instead of a password the account is connected via an “Installation Key” to the OAuth service on top of login.ez.no. Each customer installation has a such an Installation key that is connected to an account on login.ez.no that is representing an eZ Installation.
OAuth isn’t meant to do stuff like validate a user’s identity — that’s taken care of by an Authentication service. Authentication is when you validate a user’s identity (like asking for a username / password to log in), whereas authorization is when check to see what permissions an existing user already has. Just remember that OAuth is a protocol for authorization, not SSO.
When support personal or consultants want to get access a local admin is enabling the special account on the eZ installation and now it can be used for signing in. Now the login will accept an account from login.ez.no and the support user will be redirected to login.ez.no to authenticate with his account. After authentication, he is returned with an authorization token back to the browser of the support personal the authorization token is used by the local ez installation to retrieve the profile from login.ez.no. With the authorization token the local ez installation can get the access token. With the access token the support user can access the actual resource. The access rights are stored in the local user profile and can be adapted to the customer needs.
All resources that can be reached by a web interface can now be accessed immediately by the support person. This includes all scripts that can be triggered via the UI as well. After the support session is closed the local admin can disable the hidden account and nobody can use this account now to login. Even eZ Support or Consultants can’t access the system as long as the account is disabled.
Known issues: When the access to the web UI of ez is blocked by firewalls or other network protection (IP lists) this solution will not work to get access by just enabling the support account.