Announcement Announcement Module
Collapse
No announcement yet.
client scope or client authorities to limit client access to resource Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • client scope or client authorities to limit client access to resource

    Hi,

    I have deploy project using OAuth 2.0 to protect an API to get user information. the API is split into two types that is public_profile and private_profile. Public_profile is use to get general user profile data otherwise private_profile is to get specific user profile. In my existing project, i use client authorities likes PUBLIC_PROFILE and PRIVATE_PROFILE to limit client access. In first client registrastion, by default the client assigned PUBLIC_PROFILE authorities and client can request to provider whether the client want to get capabilities to access private profile. Is this correct that what i implement in my project to limit client using authorities?

    Many thanks
    Dimas

  • #2
    If I understand correctly what you are saying, I see no reason why you shouldn't use client authorities to control access to a resource. It might make sense to use OAuth2 scopes instead (or to limit the scopes a client can obtain based on its authorities, for instance), but it really doesn't matter since the details are not covered by the spec.

    Comment


    • #3
      Thanks Dave for the answer

      For your information, i use this in my configuration based on Sparklr configuration :

      <!-- The OAuth2 protected resources -->
      <http pattern="/resources/**" entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
      access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
      <intercept-url pattern="/resources/user_profile/private/**" access="ROLE_PRIVATE_PROFILE, SCOPE_READ" />
      <intercept-url pattern="/resources/user_profile/public/**" access="ROLE_PUBLIC_PROFILE, SCOPE_READ" />
      <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
      <access-denied-handler ref="oauthAccessDeniedHandler"/>
      </http>

      i use scope_read to API that get or read data, and scope_write to API that update (insert, delete) data.

      Comment

      Working...
      X