发表新帖
发表新帖

Oauth2, scopes and user roles

前端 未结
关注
1 1448
春和景丽
春和景丽 2020-12-13 02:16

I am asking a question conceptually here as I am trying to understand the relationship between scopes and user roles in an OAuth2 based system.

As I am implementing

相关标签:
1条回答
  • 既然无缘
    2020-12-13 03:04

    In OAuth2, there are the following roles:

    • Resource owner - usually some person
    • Auth provider - the OAuth2 server
    • Resource server - an API that requires an access token and validates its scopes
    • Client application - application requesting an access token with some scopes.

    To understand OAuth2, it's necessary to think about it as a protocol for access rights delegation from a Resource owner to a Client application. So the main use case is: the Client application wants to access the Resource server. In order to do that, the Client application needs an access token issued by the Auth provider and authorized by the Resource owner (which gets authenticated by the Auth provider).

    In your description, the Client application is missing. Let's assume it's a frontend application for your API. It needs an access token with scopes admin-user-scope or regular-user-scope. So it redirect a user (Resource owner) to the Auth provider, requesting both scopes.

    The Auth provider authenticates the user and asks him/her for a consent on granting some of the requested scopes to the Client application. The Auth provider may remove some scopes - for example the admin-user-scope for non-admins. The Auth provider may give the user a possibility to remove some scopes too.

    The Client application receives an access token (or a grant) with scopes in a redirect URI. If the granted scopes differ from the requested scopes, the Auth provider sends a list of granted scopes (the scope URL parameter) along with the access token, so the Client application knows what actions it can perform with the access token.

    Then the client application may access the Resource server and the Resource server makes sure that the provided access token contains required scopes. The Resource server uses the OAuth2 introspection endpoint to validate the token and to get a list of its scopes.

    0 讨论(0)
 看不清?
提交回复
热议问题