July 22, 2020 at 9:15 pm #28095ray.deng83Participant
Regarding OAuth scope, is it possible to add a client with a scope that is not defined in the OAuth Service Supported Scopes through Dynamic Client Registration?
For example, in a “Test” realm, an OAuth2 Provider is configured and [email, openid, profile] are listed as supported scopes. Then, some client is trying to register through dynamic client registration with a scope [new_scope]. By default, the registration request will be rejected as the specified scope is not supported. I’m wondering whether we can automatically provision that new_scope to the supported scopes in the OAuth Provider.
LeJuly 23, 2020 at 6:20 pm #28097Jatinder SinghParticipant
In OAuth2, the
scopeparameter is essentially a way to limit the access or scope of a granted access token. With statement in-place, now if a client could openly choose (somehow) wider scope/access for their access token which is outside the published scopes of OAuth2 Provder – that would lead to security issues e.g. asking for more user data or claims than authorized. So it is the responsibility of an OAuth2 Provider to decide what scopes to publish or assign (using default scopes mechanism) to a given set of clients.
Hope this answers your question!July 24, 2020 at 12:49 am #28100ray.deng83Participant
Okay, that makes sense. I was kinda having a similar feeling but would like to confirm on that. Thanks for the explanation!
LeJuly 24, 2020 at 3:45 am #28101Jatinder SinghParticipant
Np :) Thanks.
You must be logged in to reply to this topic.