Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth scopes and application roles & permissions

Currently my application is verifying user's access based on the roles and permissions. For example, if a user is admin then he has all permissions.

However, now I am implementing OAuth 2.0 and OpenIdConnect for single sign on and token based authentication for web applications and REST API's.

OAuth 2.0 and Open id connect rely heavily on scopes for access control. Scopes such as account.write account.read account.delete are very similar to permissions "CanCreateAccount" "CanReadAccount" "CanDeleteAccounts" "CanAssignRolesToPermissions".

I don't understand what is the difference between the two. This separation forces my application to check the client's scopes when access REST API's and separate check for user's permission. This i believe leads to code duplication.

Am I right in thinking that OAuth 2.0 scopes and application permissions are same? If this is true, then instead of maintaining separate application permissions, should I just stick to scopes through out my application?

For example, currently the user is assigned to a role and role has permissions. If I replace permissions with scopes then I wound't have to duplicate the client/user scope/permission checking functionality.

You might be thinking why not replace scopes with permissions. That is because I want to stick to OAuth 2.0 spec and scopes are used throughout the spec.

like image 523
John Avatar asked Jan 20 '18 00:01

John


People also ask

What are the OAuth scopes?

OAuth 2.0 scopes provide a way to limit the amount of access that is granted to an access token. For example, an access token issued to a client app may be granted READ and WRITE access to protected resources, or just READ access. You can implement your APIs to enforce any scope or combination of scopes you wish.

What are the different roles OAuth support?

OAuth 2.0 defines four roles: Resource Owner, Client, Resource Server and Authorization Server.

What is the difference between role and scope?

Scopes are typically used when an external application wants to gain access to the user's data via an exposed API. They determine what the client application can do. Role- or group based access is typically used within an application to determine what a user can do.

What are OAuth applications?

OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.


2 Answers

Scopes are per Client app, while permissions are per user. In other words - one client app can have a scope(s) to access certain API(s), but the users of this client app will have different permissions in this api (based on their roles). Your application should not check for the scopes. IdentityServer (I see that you have used it as a tag, so I suggest that you are using this as an OAuth authenticator) will reject a client, that doesn't have the required scope(s). Your app must only check the user permissions.

like image 106
m3n7alsnak3 Avatar answered Oct 01 '22 18:10

m3n7alsnak3


Am I right in thinking that OAuth 2.0 scopes and application permissions are same?

Technically, this is not correct.

OAuth 2.0 scopes are NOT application permissions. They allow an application to access a resource on behalf of the user. If your application has been granted the scope X on a resource, it is allowed to access that resource ONLY IF the user has the corresponding privilege.

In other words, your app's scopes MUST be checked together with the user's privileges.

To learn more, check out this article about the difference between permissions, privileges, and scopes.

like image 21
Andrea Chiarelli Avatar answered Oct 01 '22 17:10

Andrea Chiarelli