OAuth 2 - how to define dynamic resource authorization?

Question

As a resource server, I'd like to give users more control over their resources.

For example, consider I have a cloud file system supporting OAuth 2.

The user may provide permission to access the files to a client on his behalf.

I'd like the resource server to offer access to specific folder, for example, just photos and not documents.

The names of the folders is a dynamic resource, as it varies among users.

How can I handle dynamic resource authorization? Dynamic scopes?

Also, if the scope is dynamic, how does the client know to request it?

* Couldn't find it in the spec :(

Answer 1

The document rfc6749 which is the OAuth 2.0 spec, defines a way to extend OAuth 2 by using additional parameters(rfc6749#section-8.2). So, if you want to solve this with OAuth, you could use this approach or something similar:

• you define a new parameter for the Authorization Request to specify a resource(EX: folderID=XXXXX)
• During the Authorization request, a client can OPTIONALLY specify a resource by using the new parameter
• If the parameter is specified, your Authorization Server will generate a "dynamic scope" which must be signed by the Resource Owner
• if the parameter is not specified, the Resource Owner can select the resource he wants to share, and the Authorization server can generate the related "dynamic scope" (This scenario implies that the resource server is involved somehow during the Authorization flow)
• When the scopes are defined and signed by the Resource owner they are communicated to the Client (it should be able to derive the resource ID from the scope if the latter has been defined by Resource Owner)
• When the Client asks for a resource, the resource server also has to make sure that the scope includes the requested resource

Bear in Mind that such approach works better if the amount of resources per user is not very big (otherwise you can be flooded of scopes).

Another method could be to add an extra layer of Authorization behind the OAuth Layer. This additional layer keeps track of the relation client/accessible resources.

Answer 2

Just recently I had to familiarize myself with OAuth/OIDC, and now I am facing the same question - here's what I could think of so far -

• You surely have a reason to externalize security (authN, authZ) - that's why you use OAuth. Do you really want your Authorization Server to know about the resources you have in your application?
• Scopes - as far as I understood - control access to APIs, not 'resources' in the standard meaning - even though I read about 'resource' typed scopes, but those were again giving access to an API.
• If you have resources (files) you want to control access to, you'll probably better off handling it inside your application - and optionally request the list of known clients from the Auth Server, if you have to.

This is the way I am going to try doing it for my own app anyway - it is indeed surprising not to find any resources about this online.

Answer 3

Resurrecting a pretty old question here, but I think the problem is still current.

One useful detail to bear in mind is that the scope requested by the client and the scope allowed by the Resource Owner don't have to be equal. In fact, the scope allowed by the RO doesn't even have to be a subset of the requested scope.

In your case, the scope allowed by the RO can be a set of resource URLs, selected by the RO at grant step depending on the requested scope. Then, by looking at the values in the access token and understanding their meaning, the Resource Server will be able to serve the requested resources dynamically.