Understanding Scopes

Follow

Principles

Scopes provide a way to limit the amount of access that is granted to an access token.  

They are used both in OAuth2 and OpenIDConnect. However, OpenIDConnect extends the usage of scopes.

Authorization

Scopes can be authorized by a user. This is typically requested at the point the user logs in, as shown below. 

A scope is requested by a Service Provider. It is authorized by a user, who is authenticated by an Identity Provider.

Though not every request is necessarily authorized by a user (eg. in a machine-to-machine context).  But Scopes are still used in this case.

OAuth2 vs OpenIDConnect

OAuth2

You can implement your API's to enforce a restriction of a combination of scopes. So, when a client receives a token that has "READ" scope, and it uses this token to call an API endpoint that requires "WRITE" access, the call will fail.

OAuth scopes are defined as a list of names in the metadata.

OAuth scopes are applied on the API Service Providers in IDhub.   There you define which scope(s) are allowed to access certain API locations and methods.

OpenIDConnect

OpenIDConnect in an extension to OAuth2, so the principles covered by OAuth2 still apply. But in addition, A Service Provider can request additional user information (=claims) from the IDP (provided in an ID Token, in addition to an Access Token).  

Pre-defined sets of Claims can be requested using specific scope values. Although not currently supported by IDHub, individual Claims can also be requested using the claims request parameter.

A scope called 'openid' MUST be included in an Authorization request, to make it as an OpenIDConnect request.  Otherwise, the request will be made as an OAuth2 request.

Have more questions? Submit a request

Comments