Scope

Scope

May 30, 2024 | seedling, permanent

tags :

In OAuth2 #

  • In OAuth, a “scope” is a parameter that defines the extent of access that the application is requesting from the user.
  • It represents the permissions that the user grants to the application in terms of accessing specific types of data or performing certain actions on their behalf. Here’s a detailed explanation:

Example #

ref: youtube video

Definition and Role #

Limiting Access #

Scope is used to specify the level and type of access that the application is requesting to the user’s data or resources.

  • When a user authenticates and authorizes an application, they are shown what scopes the application is requesting.
  • The user can then give consent based on these scopes.

Common Scopes #

openid #

scope=openid the Auth Code returned with this cope will return two tokens

  1. access_token for AuthZ

  2. id_token to get more details about the user identification.

Scope vs Grant #

Grant #

  • Definition: A method used by the client to obtain Authorization from the user and request an access token from the Authorization Server
  • Types: Includes Authorization Code, Implicit, Password, Client Credentials, and Refresh Token.
  • Usage: Chosen based on application type, authorization server capabilities, and security requirements.
  • Role in OAuth Flow: Determines the authentication and authorization process, client authentication, and token issuance.

Scope #

  • Definition: A parameter defining the extent of access the application is requesting. Represents permissions granted to the application.
  • Examples: Scopes such as ‘read’, ‘write’, ‘delete’, ‘user:email’, ‘photos:read’, ‘files:write’, etc.
  • Usage: Allows users to control the level of access granted to the application. Included in the authorization request and presented during consent.
  • Role in OAuth Flow: Used for fine-grained access control. Determines access level granted to the application after user consent.

Key Differences #

  • Function: Grants are about the method of authorization (how an application obtains an access token), while scopes are about the extent of permissions (what the application can do with the token).
  • In OAuth Flow: Grants are part of initial OAuth steps for authorization, while scopes define and request the level of access.
  • User Interaction: Both can involve user interaction, but scopes are more directly related to user consent for data access or actions.

OCR of Images #

2023-11-24_14-21-40_screenshot.png #

auth?client_ erphobappcodetowdent Gresponse_type-code &scope=openld profile email address phone offline_ access "profile" scope: name, family_ _name, given name, middle_ _name, nickname, "email" scope: email "address" scope: formatted, street address locality region postal code country "phone" scope: phone, email verified phone number_ verified preferred username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated _at

2023-11-21_13-29-11_screenshot.png #

profile name Mr. John Q. Doe Example family_name Doe given, name John Scope middle name Quincy Claim Names nickname John Boy preferred_name J. Quincy Doe Claim Values profile tps/eampe.com/rdoe picture https//example.com/"idoe/mejpeg website ntps/1doe.campe.com gender male birthdate 1988-01-01 zoneinfo America/Los Angeles locale en-US updated_at 1553270968

2023-11-21_13-29-18_screenshot.png #

Standard OpenID Groupings profile openid name, tamily_name, given_name, sub, auth_ time, acr, and other system claims (e.g., amr, azp, etc.) middle_ name, nickname, preferred username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at offline_access email address phone email, email_verified address phone_ number, phone_ number_ _verified CURITY gtravisspencer / geurityio Copyright e 2019 Curity AB

OCR of Images #

2023-11-24_14-21-40_screenshot.png #

auth?client_ erphobappcodetowdent Gresponse_type-code &scope=openld profile email address phone offline_ access "profile" scope: name, family_ _name, given name, middle_ _name, nickname, "email" scope: email "address" scope: formatted, street address locality region postal code country "phone" scope: phone, email verified phone number_ verified preferred username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated _at

2023-11-21_13-29-11_screenshot.png #

profile name Mr. John Q. Doe Example family_name Doe given, name John Scope middle name Quincy Claim Names nickname John Boy preferred_name J. Quincy Doe Claim Values profile tps/eampe.com/rdoe picture https//example.com/"idoe/mejpeg website ntps/1doe.campe.com gender male birthdate 1988-01-01 zoneinfo America/Los Angeles locale en-US updated_at 1553270968

2023-11-21_13-29-18_screenshot.png #

Standard OpenID Groupings profile openid name, tamily_name, given_name, sub, auth_ time, acr, and other system claims (e.g., amr, azp, etc.) middle_ name, nickname, preferred username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at offline_access email address phone email, email_verified address phone_ number, phone_ number_ _verified CURITY gtravisspencer / geurityio Copyright e 2019 Curity AB

Links to this note

Calendar June 2, 2024

Go to random page

Previous Next