Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring oauth2 scope vs authorities(roles)

I'm Using Spring Security OAuth2 and currently implemented the client_credentials and password grant types. I noticed a client has both scope and authorities. Can someone please explain what the difference is? To be more specific, I'm using the JDBCTokenStore and the database schema has a oauth_client_details table.

Also,

In the oauth_client_details table, I'm not sure what the following fields are used for:

web_server_redirect_url, access_token_validity,refresh_token_validity

Some clarification would be very helpful and appreciated.

like image 938
Michael LoCicero Avatar asked Aug 19 '15 10:08

Michael LoCicero


People also ask

Is scope required for OAuth2?

You don't necessarily need OAuth2 scopes, and you can handle authentication and authorization however you want. But OAuth2 with scopes can be nicely integrated into your API (with OpenAPI) and your API docs.

What is the purpose of scope in OAuth?

OAuth 2.0 scopes provide a way to limit the amount of access that is granted to an access token. For example, an access token issued to a client app may be granted READ and WRITE access to protected resources, or just READ access. You can implement your APIs to enforce any scope or combination of scopes you wish.

Is OAuth2RestTemplate deprecated?

Deprecated. See the OAuth 2.0 Migration Guide for Spring Security 5. Rest template that is able to make OAuth2-authenticated REST requests with the credentials of the provided resource.

What are the three main entities in user role and privilege?

User, Role and PrivilegeThe Role represents the high-level roles of the user in the system. Each role will have a set of low-level privileges. The Privilege represents a low-level, granular privilege/authority in the system.


1 Answers

I noticed a client has both scope and authorities

The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn't explain specific usage of scope.

Consider this, a user authorizes Twitter to post a user's tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. Although user has authority to change it's own profile but this doesn't mean that Twitter can also change user's profile. In other words, scope are client authorities/roles and it's not the User's authorities/roles.

web_server_redirect_url

This will be used by authorization server to redirect the request to its original URL or callback(authorization grant) after successful authorization.

access_token_validity

This is the token_access expiration time in seconds. Set to -1 or 0 for infinite. If you set it to 60, then after 1 minute your token_access will be invalid. You have to either request a new token by doing the authorization process or use refresh_token.

refresh_token_validity

This is refresh_token expiration time.

like image 93
KSTN Avatar answered Sep 21 '22 10:09

KSTN