What is the difference between scope and entity in hapijs?

Question

I'm looking at some of the auth config options for hapi routes. I understand how scope works - you can set the scope of a route to 'admin' which means the user's credentials must have a scope that matches...but what is the purpose of entity?

Here are the docs:

• entity - the required authenticated entity type. If set, must match the entity value of the authentication credentials. Available values:
  • any - the authentication can be on behalf of a user or application. This is the default value.
  • user - the authentication must be on behalf of a user.
  • app - the authentication must be on behalf of an application.

When I set entity to 'user' on a route I get this error:

"message": "Application credentials cannot be used on a user endpoint"

Which leads me to believe my auth plugin is setting my entity somewhere to 'app'? For reference I am using hapi-auth-jwt.

Answer 1

Although this is an old post, in case this can help others, the answer to this is that the authentication is considered to be on behalf of an end-user if the credentials object contains a property user.

In your case, if the credentials object didn't contain such a user property, this was considered as an authentication on behalf of an application, hence the access control failure. Your auth.access.entity definition made your endpoint a user endpoint but your credentials where not considered as user credentials but application credentials.

If your credentials object contains the identity of the user in another property (e.g. sub or email), you may want to copy it into a new property user in your authentication plugin or as part of the validation function you are using to configure it.