Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How should approved scopes be returned from an OAuth2.0

Tags:

oauth-2.0

Specifying an API for library patrons, compatible with OAuth2.0, I stumbled across OAuth scopes. The OAuth2.0 specification seems to be interpreted differently at some points, for instance GitHub uses commas to delimit scopes while Google uses spaces, as defined in RFC 6749. The RFCs tells:

If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted

But no scope response parameter is mentioned later in the specification. In particular I want to implement Resource Owner Password Credentials Grant (section 4.3.). This example of a response is given in the OAuth2.0 specification:

 HTTP/1.1 200 OK
 Content-Type: application/json;charset=UTF-8
 Cache-Control: no-store
 Pragma: no-cache

 {
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "example_parameter":"example_value"
 }

Should I include the scopes as space-separated list, as comma-separated list or as JSON arary?

 {
   "scope": [ "read", "write", "foobar" ],
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "example_parameter":"example_value"
 }
like image 203
Jakob Avatar asked Jan 16 '23 02:01

Jakob

1 Answers

My interpretation of RFC 6749 is that the scopes should be specified as a string containing a space-separated list. The standard is somewhat open to interpretation because of the lack of an example.

"scope": "read write foobar"

RFC 6749 Section 4.3.3 Access Token Response says:

If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token as described in Section 5.1.

RFC 6749 Section 5.1 says:

scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED. The scope of the access token as described by Section 3.3.

RFC 6749 Section 3.3 says:

scope = scope-token *( SP scope-token )

like image 160
AndyC Avatar answered Feb 12 '23 00:02

AndyC
Sign in to Comment

Related questions

OpenId Connect Questions -Authorization Code Flow (OAuth 2.0)
Pinterest's official OAuth2 flow seemingly returns an invalid access token
Can't get Oauth2 (Twitter) to work - returns invalid token
Identity Server auth without requesting user permission
Google's OAuth 2.0 for installed apps and Client Secret not being a secret
How to delegate authorisation to external Auth 2.0 services
Keep getting errors when trying to reproduce spring security OAuth2Login sample
Which OAuth2 authentication flow shoud I use for PWA + server side application
Prevent users from signing up on their own with federated identity providers (FIP) but allow sign in with a FIP if added by an administrator
sending JSON object using POST Methods
Automatically refresh access token with django-social-auth (omab)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!