I've tried to request a token without scope using resource owner flow but got "invalid_scope". Why IdentityServer3 require scope for this flow when OAuth spec says that it is optional?
Related
Currently building up a microservice for handling auth-related stuff using OIDC.
Now, we think about access control and how to be as future-proof as possible. This auth server is only used for first-party applications (3x SPA, 2x native mobile App). On mobile, we use the authorization_code grant. Each resource server validates the supplied token (access token as JWT) itself. But what happens when (in future), we add a service which needs its own scope to check (e.g. notifications:read)? As mobile app users are not used to logging in and out everytime (when we would update the requested scopes via an app update -> bad solution) is there any sweet solution to manage this scenario?
Per specification, it's possible to change the required scopes when refreshing a token but this is limited to require less scopes than originally requested and not more so that's not an option.
For example, Facebook is providing only four scopes for Instagram e.g. instagram_basic or instagram_content_publish. Zalando for example includes only a scope NORMAL_USER in their tokens whereas Wolt includes the users roles as a claim.
I think there is some confusion as this scenario is not covered directly by OAuth2 or OIDC. What are your thoughts about this?
There is one standard for doing OAuth 2.0 Incremental Authorization, but your challenge is to find a token provider that supports it or similar standards.
In a micro service architecture, the question is if you should use the access token from the authorization code flow everywhere, or if for service-to-service communication, you should use client credentials flow instead.
See also https://www.gmass.co/blog/oauth-incremental-authorization-is-useless/
It seems like you could use Token Exchange for that.
For example it could work like that - whenever your resource server gets a token without the notifications:read scope, issued before date x (so before you were issuing that scope) it performs an exchange with the authorization server and (if the server decides that it can perform the exchange) it gets a new access token that contains that scope. If the token was issued after date x you can safely assume that the token was not granted this scope.
Another solution would be to use claims for authorization decisions instead of scopes. The authorization server can issue e.g. a claim notifications_read: true, or something like that. Whenever you refresh tokens you can issue more claims in the new access token, the spec does not prevent that. Then your resource servers should check claims in the access token, they can ignore scopes. The resource server would just check whether the token contains the notifications_read claim with value true, or not. This solution gets a bit more complicated if you require your users to give consent to scopes, but as you said you're using this only for 1st-party, so I assume you're not using consent screens.
You can have a look at this free course - this topic of using claims in authorization is covered in part 4.
In most OAuth2 typical use cases, the scope is used by resource owner password grant type, or authorization code flow, where a user login is required.
It seems that scope is mainly used to control access of users' resource. For example, to authorize a 3rd party client to access the resource owner (user) resource at another server.
In some cases, user is not present. For example, a company wants to provide a API for another company only. Client credential is being used. Most API gateway products have subscriber management option to control which client ID can access which APIs. In that case, is it still meaningful to use OAuth scopes to manage access to APIs? Why?
Besides, I cannot find any examples using scopes along with client-credential grant type. Is it rare use case?
The Client Credentials grant type is used to access protected resources that both sides own/control/trust.
Scopes are supported by this grant type. They are typically not used because the trust is already there and limiting that trust via scopes is not required.
In other words, the reason that scopes are not used is that if the trust is not there, other grant types are more appropriate.
I am trying to understand IdentityServer3 and different terms associated with it in order to secure my Web APIs. Can someone explain what is significance of Scope in IdentityServer with some good example.
I found this link but idea is not clear.
Thanks in advance!
Scope
It's safe to say that Scope is kind of a role to access a specific set of resources IMHO. IdentityServer has two scope types, the ScopeType enum is defined and described as 'OpenID Connect scope types.'
Identity Scope : representing identity data (e.g. profile or email)
For example, if you have a profile identity scope, then clients with this scope can get the profile data from an identity provider ( e.g. IdentityServer )
Resource Scope : representing a resource (e.g. a web api)
For example, if clients have a calendar resource scope, then they can call a /get/calendar/months web api and get the resources.
Scope will be included in Claim when a HTTP request with an access token is in flight and will be further validated at the validation stage for the access token.
Of course the client should be added prior to running IdentityServer and proper scopes should be specified in AllowedScopes; a member of the Client class in IdentityServer.
The better resource to know about oAuth2 is IETF, and about OpenID Connect is openid.net.
IdentityServer is an implementation of OAuth2 and OpenID so it's documentation will not cover the basics that related to OAuth2 and OpenID.
To understand first about scopes you should have a clear understanding about clients.
Client: Models an OpenID Connect or OAuth2 clients (not your client application) and it should have a clear flow for example you defined a client which uses implicit flow.
The flow is the way that you should follow in order to get the needed data for example access_token and id_token.
All flows can be used with any cases but there are recommended flows for every case.
For example, up until now, it was recommended that you use implicit flow with native and javascript clients. Though, recently this has been changed to Authorization Code with PKCE. See Identity Server's blog post on this change to IETF/OpenID recommendations
Scopes: Models an OpenID Connect (Identity scopes like email, given_name etc.) or OAuth2 (Resource scopes like your WebApi that you want to protect it's data) scopes.
You can think about scopes as intent of the client, for example: The Client ask you to use your resource owner to grant me access to your openid scopes > given_name, email & prefered_username and your OAuth2 scope > WebApi.
For full understanding:
1- Pluralsight - Building and Securing a RESTful API for Multiple Clients in ASP.NET
2- Pluralsight - OAuth2 and OpenID Connect Strategies for Angular and ASP.NET
My needs:
Let's consider 2 end-users of the same domain.
User UA is the resource owner of resource RA.
User UA wants to delegate access of resource RA to end-user UB.
My main OAuth 2.0 interest comes from total token control (revocation at any time, etc.).
OAuth 2.0 Framework allows a client to act on the behalf of a resource owner with it's explicit permissions.
Oauth 2.0 defines resource owner and client roles (see the roles section) where:
Resource owner can be an end-user (that can grant access to a protected resource).
Client is an application making protected resource requests on behalf of the resource owner.
In the spec, the client is always considered as an application (with no particular implementation characteristics).
I would like to know if it is ok to implement OAuth 2.0 with an end-user as the client role or am I abusing OAuth completely?
My intuition is that OAuth 2.0 is only designed for third party application (with interoperability) and not for 2 end-users of the same domain. Am I right? In the other hand all the token mechanism really fits my needs.
PS: This expired OAuth specification (2010) talks about delegating authorization by a Resource Owner to another user via a Client using the OAuth protocol. But it's not that relevant.
I would like to know if it is ok to implement OAuth 2.0 with an
end-user as the client role or am I abusing OAuth completely?
Well, it is only an opinion of mine, but if, say, a Buffer can represent me posting my contents to Facebook using OAuth, why my friend Jack (a human, not robot) can't?
Of course, you must think it all over, especially in terms of security. But the abstract scheme looks fine by me.
Where can we specify the Auth Type for API resource in WSO2 AM 1.7
in the documentation https://docs.wso2.com/display/AM170/Adding+Documentation+Using+Swagger it says that it can be defined from adding the resource but those options are completely different.
Auth types that are available are shown in the Auth Type column of API Resources section. These are the Auth Types available for the Resource Owner OAuth grant type. You cannot change these Auth types as they are based on the OAuth Spec.