OAuth 2.0 Scopes
Scopes, in OAuth, is one of the most confusing concepts, So what exactly a Scope 🤔
With this blog, let's see What scopes are, How to use them, How to define them for our own service, and How to define users by asking permission.
Scopes are essentially using for the application to request access to limited parts of users accounts,
If you didn’t set scopes, then OAuth exchange would result in the application full access to the user account.
That is, any operation available in API, possible for the application to retrieve on behalf of the user.
Scope, allows us to allocate access to the application. That's why, an application may request access to read data, but does not have access to writing data.
Ex: When you try to connect your application to a Google Account, an application that uses the Google API should request a limited scope. When it has access to read user contacts, it will not be able to upload or send emails to your Google Drive.
So, the scope is specifically a way for an application to request access.
Whether or not that request is granted is a whole different story.
So
- an application that knows what it wants to do will ask for the appropriate scopes.
- Those will then be surface to the user, shown to the user so that the user knows what scopes will be granted when they approve the request.
- The access token that ends up being issue will then be associated with the limited scopes that were granted.
So this is essentially a way to limit what an application can do within the context of what a user can do within a system.
It is important to remember that this is not really a group or rules or permissions scheme within your API. This is specifically about granting applications, limited access to the API.
You can have the concept of two different types of users,
- customer users
- admin users
There, admin users will already have some sort of additional privileges within your system.
Ex:
In a product, your admin may be able to add/delete/list/update users into the account, but your consumer users will only be able to list the user or may be only able to view own details, they have limited access in the account.
Now that concept exists outside the concept of OAuth scopes,
What OAuth scopes do is it means that if you do have an admin user logging into an application, the admin user could grant that application limited access to their account,
which means, instead of granting the application permission to create users in to the particular group, that user could grant that application, read only access to the group.
Finally,
- Scopes are a way for an application to request limited access to someone’s account.
- Scopes are not a way to build a permission system.
- It’s a way to limit what an access token can do within the context of what a user can already do.
So That's it….
