When requesting scopes for both channels:read and identity.basic I get the following error:
Invalid permissions requested
Cannot request both identity scopes and other scopes at the same time
What's the solution for this? I'm interested in identifying if a user is an administrator and listing his channels. I'm requesting the identity.basic scope above as it's a prerequisite for the users:read scope. Do I really need to get the user to click "Authorize" twice for such a thing?
No. You do not to authorize twice. If you need additional scopes - because you want to access the API methods - you need to use the Add to Slack OAuth flow instead. That one will give you access to all scopes.
The Sign-in-with Slack OAuth flow is meant for quick user authentications only and does therefore not include any scopes that would require the user to confirm them (like users.read). So you can only user identity.* scopes for this flow as clearly stated in the documentation under Valid parameters / scope.
Related
I am building an app which authenticates via microsoft and needs various that predominantly uses Delegated permissions. I use the v2 auth endpoints to do incremental authentication, only asking for additional scopes when the user needs them.
This has worked well for the many delegated permissions I have so far. In many cases I need admin approval for these permissions, but I have a flow for that which works well.
One of the scopes I have used as a delegated permission is "User.Read.All", I now need the same scope on the application permission level. But I am struggling to work out if there is a way to do incremental authentication for application permissions. The docs say to use the generic endpoint where you don't specify scopes, but this then asks for all the scopes I have on my application registration rather than just passing in the scopes as a param.
It has nothing do with the endpoint and the scopes you specified. Since you use Delegated permissions in your original job, so I consider you use auth code flow or username/passord flow. If we use auth code flow or username/password flow, we can't get application permission when we do authentication although you have assign the application permissions to your registered app. If you want to get application permission when do authentication, you need to use client credential flow instead.
It is not possible to do this unfortunately the consent flow allows either a dynamic set of delegated scopes to be submitted or /.default which acts like the v1 endpoints and requests all scopes for that client. See these docs
In section 5.4 of the OIDC spec (https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) it says “The scopes associated with Access Tokens determine what resources will be available when they are used to access OAuth 2.0 protected endpoints.”
As I read this, it seems straightforward, if you have any permissions which an API should respect, the you put them within the “scopes” claim of an access token.
However, both Auth0 and Okta put a users permissions within a custom claim. In Auth0s case, it puts a users permissions within a “permissions” claim and in Oktas case, they put them within a “groups” claim of the access token.
Because both of these identity providers put the permissions as a custom claim, it makes me think I am reading the spec wrong. Does anyone have thoughts or can clear up when to put permissions in a custom claim vs putting them in the scopes claim?
Scopes tend to be a high level permission such as 'read / write' or which API(s) the token can be used against. Claims are what your API needs to identify + authorize requests. Not all claims are included in access tokens. My write up here may help you to understand your choices:: https://authguidance.com/2017/10/03/api-tokens-claims
The difference here is the scopes for the token vs the permissions for the user. Some auth0 users will add users permissions in a custom claim to do things like gate content. The scopes in the token are explicitly describing what the token has access to.
This doc shows an example of the access token with scopes:
https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis#compare-the-tokens
Here is an example of adding permissions to a token via a custom claim (id token in this instance):
https://community.auth0.com/t/how-do-i-add-user-permissions-to-id-token/28611
I am asking a question conceptually here as I am trying to understand the relationship between scopes and user roles in an OAuth2 based system.
As I am implementing an API, I want to restrict access to specific resources by using scopes on the resources. I understand the use of access tokens to request resources, and I believe my understanding to be correct in that you specify your scope(s) when requesting the access token.
What I am not entirely sure of is how restriction of scopes would work based on specific roles that an authenticated user is in. Let's assume Bob is an admin and Sue is a regular user. We have some resources protected by an is_admin scope. What stops Sue from requesting (and receiving) is_admin scope in her access token?
I am thinking that what should happen is the following:
Bob authenticates.
Bob's roles are looked up after his authentication is complete. His "admin" role has the "is_admin" scope attached.
Bob asks for an access token with all the scopes collected from his various roles
Bob is automatically given those scopes for his access token
Is it up to my calling app to enforce only sending asking for the scope Bobs needs? Or is there something I am missing with regards to scopes?
Can someone please enlighten me with some simple examples?
In OAuth2, there are the following roles:
Resource owner - usually some person
Auth provider - the OAuth2 server
Resource server - an API that requires an access token and validates its scopes
Client application - application requesting an access token with some scopes.
To understand OAuth2, it's necessary to think about it as a protocol for access rights delegation from a Resource owner to a Client application. So the main use case is: the Client application wants to access the Resource server. In order to do that, the Client application needs an access token issued by the Auth provider and authorized by the Resource owner (which gets authenticated by the Auth provider).
In your description, the Client application is missing. Let's assume it's a frontend application for your API. It needs an access token with scopes admin-user-scope or regular-user-scope. So it redirect a user (Resource owner) to the Auth provider, requesting both scopes.
The Auth provider authenticates the user and asks him/her for a consent on granting some of the requested scopes to the Client application. The Auth provider may remove some scopes - for example the admin-user-scope for non-admins. The Auth provider may give the user a possibility to remove some scopes too.
The Client application receives an access token (or a grant) with scopes in a redirect URI. If the granted scopes differ from the requested scopes, the Auth provider sends a list of granted scopes (the scope URL parameter) along with the access token, so the Client application knows what actions it can perform with the access token.
Then the client application may access the Resource server and the Resource server makes sure that the provided access token contains required scopes. The Resource server uses the OAuth2 introspection endpoint to validate the token and to get a list of its scopes.
I use WSO2IS as an OIDC provider for authentication and authorization. Using Authentication Code grant, I got the access-token. I need to authorize the users to access specific services based on their roles.
I tried to use XACML to solve this, but I found that I need to pass base64 encoding of username:password in the header of REST API XACML request. Instead is there any way I can authorize the user to access services based on their roles, using access-token ?
This part of authorization happens in the resource server. I thought I could use the introspection endpoint to authorize the user based on the access token using scopes. But I don't understand how scopes can be used to provide access control to the users ?
To get an access token with all scopes available to a user, the OAuth2 client must request all scopes it cares about and the token will contain only those that the user has access to. See this question.
Yes, it's cumbersome, but OAuth2 is primarily an authorization delegation protocol - it allows users to delegate some of their rights (scopes) to a client.
Alternatively, if you could decide permissions based on roles, you could probably get a list of user roles from an ID token.
For example, let's say I have two features, one requires Google Contacts and one requires Google Calendar.
Let's also say that the first feature is heavily used, such that requesting that the user authorize both auth scopes results in a significant drop off rate.
If I store an access token for a user with contacts auth scope bound, what happens when later, I request an additional auth scope calendar for that user? Do I get back a new token with only calendar scope credentials?
LiveConnect says that scopes that supersede the existing scope results in a new token with the umbrella scope and the old token gets invalidated.
Assuming you're talking about authorization_code or implicit grant type flows, a new scope would need to be authorized by the user.
The user agent would be sent to the Authorization Server's authorization endpoint with the (now) required scopes. Required scopes should include the full set of scopes you need (old and new). The user would see the requested scopes, and then authorize them. For authorization_code grant type this results in an authorization code exchanged for a new access token representing the user's consent to the scopes. Implicit would simply return a new access token in the URL fragment. In any case, this new access token would supersede the existing one.
If you have refresh tokens involved - upon requesting a new access token with a refresh token you have the ability to dictate what scope is being requested. However that scope must be a subset of the original scope (see: OAuth 2.0 spec section 6) - extending it is not possible without user consent (assuming above flows).