How to use OAuth 2.0 roles and scopes to secure services

oauth2

I have secured a REST API using OAuth 2.0 security, and I am not sure on how to configure security access using roles or scopes.

There will be three types of clients:

Public mobile app client used by end-users that can access their
profile, data, etc. (using password grant type). By "public" I mean that the app is intended from any user and available to any user from Google Store, etc.)
Non-public administration client used only from me for administrative
purposes that can access administrative services not allowed to be
used by normal users (using client_credentials grant type).
Non-public third-party client (using client_credentials grant type) that will use some services created specifically for them.

Should I just create three different roles, User, Admin and ThirdPartyX and secure services with 'oauth2.clientHasRole' rules? Or should I create different scopes and do not care about roles? Is there a general rule of thumb on where would I use roles or scopes in general?

Best Answer

There is usually no golden right way for the problem. However, there are a few guidelines:

Use the scope request parameter as indicated in the IETF standard.

Use the claim in the JWT payload with an HMAC256 signature to verify the claims are issued by the server.

Map your roles permissions data to an RBAC database schema (but we usually use MongoDB with NoSQL).

Related Solutions

How to integrate Laravel passport, oauth scopes and roles and permissions

This answer seems to help with it. https://stackoverflow.com/questions/39436509/laravel-passport-scopes

When you're authenticating the user, check the database for roles and permissions. Then add the scopes to the request like they do.

$request->request->add([
    'scope' => 'read-only-order' // read-only order scope for other user role
]);

REST API OAuth 2 – Choosing the Right Grant Type

Your business logic assumes that an end user is the only type of identity which can perform actions (e.g. Inserting records). It turns out that assumption is false, and you have a second sort of identity - a client application. I can see a couple of options:

Create a fake / pseudo user to represent the client application, i.e. a service account. Give the user whatever settings needed to have the system behave as expected, but make sure that it's not possible for real users to log in as this pseudo-user, and maybe hide the user from management screens. You can then either put this user's details in your access token, or have the api look up this user's details when it gets an access token.

What you probably want though is for your business logic to recognize both users and client applications as valid identity types - if we squint a little and rename the users table to "identities", that's sort of what we did with by creating fake / pseudo users. Depending on your code / database structure however you may find it easier to update your code and leave your users table as-is.

Best Answer

Related Solutions

How to integrate Laravel passport, oauth scopes and roles and permissions

REST API OAuth 2 – Choosing the Right Grant Type

Related Topic