Menu
▾
▴
Re: [Unity-idm-discuss] OAuth 2.0 Client Credentials Grant - Client Scopes
|
From: Krzysztof B. <kb...@un...> - 2021-10-04 13:50:15
|
Hi Zoltan, W dniu 01.10.2021 o 20:18, Zoltan Bakcsa pisze: > > Dear Unity forum, > > I have a couple of microservice like software component which supposed > to cooperate through their respective APIs. These APIs require > authentication and authorization. > > Since we already have Unity running in our infrastructure for user > authentication, we would also use it for the authorization of these > software components. The plan is to use OAuth - Client credentials grant. > Originally I wanted to create an OAuth endpoint where I could create a > client for each software components that requires authorization. My > problem is that it does not seem to be possible to assign Scopes to > individual clients, only for the OAuth endpoint. Scopes set on the > Endpoint level are assigned to all clients underneath. As a result, > all clients will have the same set of scopes which is not what we want. > > Is it possible to assign scopes on a client level? > If not, how should it work? Each client should have its own Identity > Provider? What you describe to is mostly correct: at this point Unity allows for specifying available OAuth scopes per Identity Provider (or in oauth lingo: Authorization Server) endpoint. This is the list of allowed scopes - client can request subset of those scopes. And in typical case that's enough, as end-user can refuse to consent the client, if it requests too wide scopes. I agree that for the non-interactive client credentials grant this may be a limitation. As of now you can setup multiple IdP endpoints - each for each client with different scopes. Other option would be to enrich Unity with possibility to configure scopes which are allowed per each client individually. This would however require enhancement in code. Kind regards, Krzysztof |
