Add OAuth Client with Scope which is not supported in OAuth Provider

Tagged: ,

This topic has 3 replies, 2 voices, and was last updated 3 months ago by Jatinder Singh.

  • Author
    Posts
  • #28095
     ray.deng83
    Participant

    Regarding OAuth scope, is it possible to add a client with a scope that is not defined in the OAuth Service Supported Scopes through Dynamic Client Registration?

    For example, in a “Test” realm, an OAuth2 Provider is configured and [email, openid, profile] are listed as supported scopes. Then, some client is trying to register through dynamic client registration with a scope [new_scope]. By default, the registration request will be rejected as the specified scope is not supported. I’m wondering whether we can automatically provision that new_scope to the supported scopes in the OAuth Provider.

    Best,
    Le

    #28097
     Jatinder Singh
    Participant

    In OAuth2, the scope parameter is essentially a way to limit the access or scope of a granted access token. With statement in-place, now if a client could openly choose (somehow) wider scope/access for their access token which is outside the published scopes of OAuth2 Provder – that would lead to security issues e.g. asking for more user data or claims than authorized. So it is the responsibility of an OAuth2 Provider to decide what scopes to publish or assign (using default scopes mechanism) to a given set of clients.

    Hope this answers your question!

    #28100
     ray.deng83
    Participant

    Okay, that makes sense. I was kinda having a similar feeling but would like to confirm on that. Thanks for the explanation!

    Best,
    Le

    #28101
     Jatinder Singh
    Participant

    Np :) Thanks.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?