https://kotlinlang.org logo
Join Slack
Powered by
Can someone explain OAuth to me please? I can't fi...
# getting-started
h
Can someone explain OAuth to me please? I can't find an appropriate channel so I post it here. When I look into KeyCloak and examples like the answer here: https://stackoverflow.com/questions/42186537/resources-scopes-permissions-and-policies-in-keycloak And then look at documentation like this https://api.slack.com/legacy/oauth-scopes I get very confused about the use of the word 
scope
in many different contexts. And how to use them for rights management. In KeyCloak there are 
client scopes
and inside a 
client
there is a tab 
Authorization
that also has 
scopes
let's call those 
authorization scopes
. The way I understood it is that 
client scopes
that map to the "scope" claim inside the token just denote what is inside this token like the email or the profile. You can assign 
client scopes
to control what claims are getting added to the token. Now there are 
authorization scopes
that together with permissions and depending on roles/groups can evaluate to PERMIT or DENY. These are often denoted with colons as in 
my:test:scope
. So I have a frontend, a backend, and a KeyCloak. According to keycloak the 
Role Type
policy 
Cancellation Access Policy
has the dependent 
scope based
permission 
Cancellation Access Permission
which in turn has the 
authorization scope
: 
myapp:mymodule:cancel
. But this information is not in the token. And I am at a loss at how to go on from here.
k
this is sooo offtopic... 🙂 anyway, this might not help, but oauth scopes != permissions !!!
h
Yes, sorry, I just don't know where to ask this (aside from making a full SO question). In my quest to understand it I found this article: https://auth0.com/blog/permissions-privileges-and-scopes/ Which really helped me, especially the part that some scopes are not related to permissions and privileges at all, like 
profile
and 
openid
for example. I am not fully sure how I connect the arbitrarily named scopes to the arbitrarily named permissions, but I do make progress.
k
in this slack #C09222272 can handle this 🙂
h
Oh thanks, I have not seen this one.
2 Views
Open in Slack
PreviousNext
Powered by