Konubinix' opinionated web of thoughts

How to Deal With Permissions in OAuth2?

Fleeting

I already tackled a similar topic in what should I put into those scopes and access tokens claims?

But now that my point of view is different, I would like to add to this reflection.

First, let remember why do we need oauth in the first place.

It is a protocol that allow a resource owner to tell an authorization server that per consent that a third party client application can access a scoped set of resources.

If you want to deal with something that does not fit that picture, maybe OAuth 2 is not the good candidate.

Although, with some charitable interpretations, a lot of classical flows can be interpreted that way.

For instance, in the case the application is a first party, the user consent screen is optional and the scope is implicitly granted.

For instance, consider the classical admin role that can create, edit and remove other users.

In that case, you can assume that the application is a first party application and the admin’s resources are users. The scope could be scp=admin.