OAuth scopes and application roles & permissions
Question
Currently my application is verifying user's access based on the roles and permissions. For example, if a user is admin then he has all permissions.
However, now I am implementing OAuth 2.0 and OpenIdConnect for single sign on and token based authentication for web applications and REST API's.
OAuth 2.0 and Open id connect rely heavily on scopes for access control. Scopes such as account.write account.read account.delete are very similar to permissions "CanCreateAccount" "CanReadAccount" "CanDeleteAccounts" "CanAssignRolesToPermissions".
I don't understand what is the difference between the two. This separation forces my application to check the client's scopes when access REST API's and separate check for user's permission. This i believe leads to code duplication.
Am I right in thinking that OAuth 2.0 scopes and application permissions are same? If this is true, then instead of maintaining separate application permissions, should I just stick to scopes through out my application?
For example, currently the user is assigned to a role and role has permissions. If I replace permissions with scopes then I wound't have to duplicate the client/user scope/permission checking functionality.
You might be thinking why not replace scopes with permissions. That is because I want to stick to OAuth 2.0 spec and scopes are used throughout the spec.
3 answers
solution1
10 2018-01-20 04:25:37
Scopes are per Client app , while permissions are per user . In other words - one client app can have a scope(s) to access certain API(s), but the users of this client app will have different permissions in this api (based on their roles). Your application should not check for the scopes. IdentityServer (I see that you have used it as a tag, so I suggest that you are using this as an OAuth authenticator) will reject a client, that doesn't have the required scope(s). Your app must only check the user permissions.
solution2
0 2021-12-06 10:23:12
Am I right in thinking that OAuth 2.0 scopes and application permissions are same?
Technically, this is not correct.
OAuth 2.0 scopes are NOT application permissions . They allow an application to access a resource on behalf of the user . If your application has been granted the scope X on a resource, it is allowed to access that resource ONLY IF the user has the corresponding privilege.
In other words, your app's scopes MUST be checked together with the user's privileges.
To learn more, check out this article about the difference between permissions, privileges, and scopes .
solution3
0 2022-12-13 13:13:15
You could read this excellent post or watch the video in the same post to get a clear understanding of scopes, permissions and privileges.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.