Spring oauth2 scope vs authorities(roles)

Question

I\'m Using Spring Security OAuth2 and currently implemented the client_credentials and password grant types. I noticed a client has both scope and authorities. Can someone p

Answer 1

I noticed a client has both scope and authorities

The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn't explain specific usage of scope.

Consider this, a user authorizes Twitter to post a user's tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. Although user has authority to change it's own profile but this doesn't mean that Twitter can also change user's profile. In other words, scope are client authorities/roles and it's not the User's authorities/roles.

web_server_redirect_url

This will be used by authorization server to redirect the request to its original URL or callback(authorization grant) after successful authorization.

access_token_validity

This is the token_access expiration time in seconds. Set to -1 or 0 for infinite. If you set it to 60, then after 1 minute your token_access will be invalid. You have to either request a new token by doing the authorization process or use refresh_token.

refresh_token_validity

This is refresh_token expiration time.