I'm Using Spring Security OAuth2 and currently implemented the client_credentials and password grant types. I noticed a client has both scope and authorities. Can someone please explain what the difference is? To be more specific, I'm using the JDBCTokenStore and the database schema has a oauth_client_details table.
Also,
In the oauth_client_details table, I'm not sure what the following fields are used for:
web_server_redirect_url, access_token_validity,refresh_token_validity
Some clarification would be very helpful and appreciated.
You don't necessarily need OAuth2 scopes, and you can handle authentication and authorization however you want. But OAuth2 with scopes can be nicely integrated into your API (with OpenAPI) and your API docs.
OAuth 2.0 scopes provide a way to limit the amount of access that is granted to an access token. For example, an access token issued to a client app may be granted READ and WRITE access to protected resources, or just READ access. You can implement your APIs to enforce any scope or combination of scopes you wish.
Deprecated. See the OAuth 2.0 Migration Guide for Spring Security 5. Rest template that is able to make OAuth2-authenticated REST requests with the credentials of the provided resource.
User, Role and PrivilegeThe Role represents the high-level roles of the user in the system. Each role will have a set of low-level privileges. The Privilege represents a low-level, granular privilege/authority in the system.
I noticed a client has both scope and authorities
The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn't explain specific usage of scope.
Consider this, a user authorizes Twitter to post a user's tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. Although user has authority to change it's own profile but this doesn't mean that Twitter can also change user's profile. In other words, scope are client authorities/roles and it's not the User's authorities/roles.
web_server_redirect_url
This will be used by authorization server to redirect the request to its original URL or callback(authorization grant) after successful authorization.
access_token_validity
This is the token_access expiration time in seconds. Set to -1 or 0 for infinite. If you set it to 60, then after 1 minute your token_access will be invalid. You have to either request a new token by doing the authorization process or use refresh_token.
refresh_token_validity
This is refresh_token expiration time.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With