Announcement Announcement Module
No announcement yet.
client scope or client authorities to limit client access to resource Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • client scope or client authorities to limit client access to resource


    I have deploy project using OAuth 2.0 to protect an API to get user information. the API is split into two types that is public_profile and private_profile. Public_profile is use to get general user profile data otherwise private_profile is to get specific user profile. In my existing project, i use client authorities likes PUBLIC_PROFILE and PRIVATE_PROFILE to limit client access. In first client registrastion, by default the client assigned PUBLIC_PROFILE authorities and client can request to provider whether the client want to get capabilities to access private profile. Is this correct that what i implement in my project to limit client using authorities?

    Many thanks

  • #2
    If I understand correctly what you are saying, I see no reason why you shouldn't use client authorities to control access to a resource. It might make sense to use OAuth2 scopes instead (or to limit the scopes a client can obtain based on its authorities, for instance), but it really doesn't matter since the details are not covered by the spec.


    • #3
      Thanks Dave for the answer

      For your information, i use this in my configuration based on Sparklr configuration :

      <!-- The OAuth2 protected resources -->
      <http pattern="/resources/**" entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
      access-decision-manager-ref="accessDecisionManager" xmlns="">
      <intercept-url pattern="/resources/user_profile/private/**" access="ROLE_PRIVATE_PROFILE, SCOPE_READ" />
      <intercept-url pattern="/resources/user_profile/public/**" access="ROLE_PUBLIC_PROFILE, SCOPE_READ" />
      <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
      <access-denied-handler ref="oauthAccessDeniedHandler"/>

      i use scope_read to API that get or read data, and scope_write to API that update (insert, delete) data.