Added Guide chapter on Identity, Permissions and Scopes #17
Conversation
rhertogh
changed the title
|
@mtangoo @SOHELAHMED7 I've added a chapter in the guide on Identity, Permissions and Scopes. |
|
|
||
| > Note: Until now "scope" is never used and probably is not needed. | ||
| Only when we have multiple clients, let's say FEA1 and FEA2, that need a different access scope for the *same* user, | ||
| scopes come into play. |
There was a problem hiding this comment.
I think this is incorrect. As far as I know scopes are attached to access token and not clients.
Scopes are used from very beginning in OAuth 2.
I have used multiple access token with different scopes for same clients.
Example:
My app uses GitHub for login. OAuth 2 login. In addition to email+password. In that my app only request these scopes: read email + read basic profile info. If I login with GitHub I get access token which can only read user email and other basic profile info. With this token I cannot read user's private repo.
After login (by GitHub or email+password) my same app has this functionality: attach GitHub repo
My app allows users to host their project located in GitHub
When My app request GitHub to access repo I also add read_repo scope to the request. This time I get access token which allow me to read repo
So I have total 2 access token with different scopes.
There was a problem hiding this comment.
Hi, thanks for your extensive input.
The scope in the access token depends on the requested scope during the token request. The granting of scope however, is connected to the Client (for the specific user).
https://oauth.net/2/scope/ and https://www.oauth.com/oauth2-servers/scope/defining-scopes/
Does that resolve the concern you raised or did I miss something?
| { | ||
| if ( | ||
| !Yii::$app->user->can('user') | ||
| || !Yii::$app->getModule('oauth2')->requestHasScope('create_email') |
There was a problem hiding this comment.
`|| !Yii::$app->getModule('oauth2')->requestHasScope('create_email')`
&& !Yii::$app->getModule('oauth2')->requestHasScope('create_email')
There was a problem hiding this comment.
I think RBAC authorization and scopes based authorisation are different. We have to apply both
There was a problem hiding this comment.
@SOHELAHMED7 @mtangoo
If I'm not mistaken they are now required both because of the !, in other words:
If the user does not has the role 'user' or the request does not has the scope 'create_email' then throw the unauthorized exception.
Based on #12 (comment)