Is there any difference between oauth scopes and roles when using Spring Security? [duplicate]

Question

When using Spring security to secure an API with oauth is there any distinction between scopes and roles?

For example when using non oauth based role based authorization I might have a user named john with the role admin.

If I'm using oauth then it seems john would just have the scope admin instead.

Am I thinking about this the right way?

Answer 1

Typically you would use scopes to indicate permissions that a user allows a client app. Think how Facebook asks a user if he wants to allow a certain third party to access his resources such as: name, email, profile, list of friends, etc. On the other hand, you would use roles to denote whether the user is just a regular user, or an admin.

So rule of thumb is: if it's about a user granting a client app permission to access resources, then use scopes to represent the authority needed. Otherwise use roles to denote authority in terms of what type of user one is.