OAuth2 authorization for project and custom project-specific user role

Question

I'm new to OAuth2 and trying to figure out what is the best practice for the following scenario:

• I'm implementing 'ToDo' web service (CRUD for 'tasks')
• I'm using OAuth2 and Google as auth provider to get user details (email, name)
• Now I need to implement project-specific roles for users ('admin', 'user')

Speaking in terms of OAuth2 - Google doesn't 'own' my service, so it cannot help me with storing/providing 'ToDo'-specific roles, is it correct?

What is the common/best approach to implement it, do I need to create my own authorization service where I'll need to store relations like userinfo -> project-specific role?

Answer 1

Well, it depends what, exactly, you're looking to do.

If you have users, and those users have specific roles that you have assigned to them already, then you're just using Google's OAuth service as an identity service. You don't need to implement your own authorization service, but you will need to keep track (typically in your own database) a relationship between the userid and the roles for that users.

If the goal is to create a service where the user can delegate specific permissions they have to a third-party service, then you will certainly need to implement your own OAuth server. This will allow the user to limit the scopes that are necessary for the third-party service to do its job.

Answer 2

It is easy for you to setup your own authorization and resource server rather than depending on google services. In your own authentication server you have more control over your roles and users you specify. You can setup and authentications server using spring boot app and using dependencies like Spring-starter-security, spring-security-oauth2 and etc.