Oauth - Scope from a access request (Access Token|Grant)

> Software Security > (Authentication|Access control|Identification) - AuthN > Oauth 2.0 - Authorization framework

1 - About

The scope define the scope from a access request (ie from an access token or grant)

Scopes are used to grant an application (client) different levels of access to data on behalf of the end user (owner).

Each authorization server may declare one or more scopes.

Advertising

3 - Value

The value of the scope is expressed as a list of space-delimited, case-sensitive strings.

The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.

scope       = scope-token *( SP scope-token )
scope-token = 1*( %x21 / %x23-5B / %x5D-7E )

The authorization server SHOULD document its scope requirements and default value (if defined).

4 - Flow

4.1 - Request

The client can specify the scope of the access request at:

The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.

If the client omits the scope parameter when requesting authorization, the authorization server MUST either:

  • process the request using a pre-defined default value
  • or fail the request indicating an invalid scope.
Advertising

4.2 - Response

In turn, the authorization server (ie authorization endpoint and token endpoint) uses the scope response parameter to inform the client of the scope of the access token issued.

See:

If the issued access token scope is different from the one requested by the client, the authorization server MUST include the scope response parameter to inform the client of the actual scope granted.

5 - Documentation / Reference

security/auth/oauth/scope.txt · Last modified: 2019/06/05 14:58 by gerardnico