Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Oauth2, scopes and user roles

Tags:

oauth-2.0

I am asking a question conceptually here as I am trying to understand the relationship between scopes and user roles in an OAuth2 based system.

As I am implementing an API, I want to restrict access to specific resources by using scopes on the resources. I understand the use of access tokens to request resources, and I believe my understanding to be correct in that you specify your scope(s) when requesting the access token.

What I am not entirely sure of is how restriction of scopes would work based on specific roles that an authenticated user is in. Let's assume Bob is an admin and Sue is a regular user. We have some resources protected by an is_admin scope. What stops Sue from requesting (and receiving) is_admin scope in her access token?

I am thinking that what should happen is the following:

  • Bob authenticates.
  • Bob's roles are looked up after his authentication is complete. His "admin" role has the "is_admin" scope attached.
  • Bob asks for an access token with all the scopes collected from his various roles
  • Bob is automatically given those scopes for his access token

Is it up to my calling app to enforce only sending asking for the scope Bobs needs? Or is there something I am missing with regards to scopes?

Can someone please enlighten me with some simple examples?

like image 721
Jason Avatar asked Feb 02 '18 11:02

Jason

People also ask

What are the scopes in OAuth2?

OAuth 2.0 scopes provide a way to limit the amount of access that is granted to an access token. For example, an access token issued to a client app may be granted READ and WRITE access to protected resources, or just READ access. You can implement your APIs to enforce any scope or combination of scopes you wish.

What is the difference between role and scope?

Scopes are typically used when an external application wants to gain access to the user's data via an exposed API. They determine what the client application can do. Role- or group based access is typically used within an application to determine what a user can do.

Is scope required for OAuth2?

You don't necessarily need OAuth2 scopes, and you can handle authentication and authorization however you want. But OAuth2 with scopes can be nicely integrated into your API (with OpenAPI) and your API docs.

What are the different roles OAuth support?

OAuth 2.0 defines four roles: Resource Owner, Client, Resource Server and Authorization Server.

1 Answers

In OAuth2, there are the following roles:

  • Resource owner - usually some person
  • Auth provider - the OAuth2 server
  • Resource server - an API that requires an access token and validates its scopes
  • Client application - application requesting an access token with some scopes.

To understand OAuth2, it's necessary to think about it as a protocol for access rights delegation from a Resource owner to a Client application. So the main use case is: the Client application wants to access the Resource server. In order to do that, the Client application needs an access token issued by the Auth provider and authorized by the Resource owner (which gets authenticated by the Auth provider).

In your description, the Client application is missing. Let's assume it's a frontend application for your API. It needs an access token with scopes admin-user-scope or regular-user-scope. So it redirect a user (Resource owner) to the Auth provider, requesting both scopes.

The Auth provider authenticates the user and asks him/her for a consent on granting some of the requested scopes to the Client application. The Auth provider may remove some scopes - for example the admin-user-scope for non-admins. The Auth provider may give the user a possibility to remove some scopes too.

The Client application receives an access token (or a grant) with scopes in a redirect URI. If the granted scopes differ from the requested scopes, the Auth provider sends a list of granted scopes (the scope URL parameter) along with the access token, so the Client application knows what actions it can perform with the access token.

Then the client application may access the Resource server and the Resource server makes sure that the provided access token contains required scopes. The Resource server uses the OAuth2 introspection endpoint to validate the token and to get a list of its scopes.

like image 150
Ján Halaša Avatar answered Oct 04 '22 06:10

Ján Halaša
Sign in to Comment

Related questions

Spring security. How to log out user (revoke oauth2 token)
ImportError: cannot import name SignedJwtAssertionCredentials
Handling openURL: with Facebook and Google
Error: invalid_request device_id and device_name are required for private IP
Getting Server Rejected error when upload using Google Picker, Oauth2
This app isn't verified This app hasn't been verified by Google yet. Only proceed if you know and trust the developer
The App keeps asking for permission to "Have offline access", why?
Should jwt web token be encrypted?
How to persist an OAuth2 token (or use a refresh token) in Postman collections?
oauth-private.key does not exist or is not readable
How do client-side JS libraries for OAuth2 maintain secure authentication?
OAuth - What exactly is a resource owner? When is it not an end-user?
How to implement FosOAuthServerBundle to secure a REST API?
oauth2.0 how to pass access token
OAuth or JWT? Which one to use and why?
Getting Scope Validating error in Identity Server 4 using JavaScript Client in asp.net core
How to validate Azure AD security token?
Can you get a public Facebook page's feed using Graph API without asking a user to allow?
Laravel Passport Scopes
Clarification on id_token vs access_token

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!