Third-Party OAuth control for Online customers

[vivekvj01]

Required Terms

• [X] I agree to follow this project's Code of Conduct
• [X] I have read and accept the Salesforce Program Agreement

What service(s) is this request for?

Provide online customers the ability to control if Third party applications are permitted to access the Heroku Platform API using credentials of users in this Heroku Team.

[oavanruiten]

Hi @vivekvj01,

I am a Heroku add-on provider (Advanced Scheduler).

This GitHub issue was brought to my attention by Heroku Support while discussing a new Heroku add-on that we are working on:

Billing Alarm

As the name suggests, this add-on needs access to the Invoice Info and Team Invoice Info endpoints of the Heroku Platform API through an OAuth Authorization created by a Heroku user.

Currently this can only be achieved by creating an Authorization with the global scope. This is a big no-go for us.

We need the ability for a Heroku user to create an Authorization with a custom set of permissions / scope that allows us to do the above and nothing else.

In a world where cyber security is paramount, fine-grained access control is a relatively simple, but powerful feature.

This would also greatly lower the threshold for Heroku users to integrate with third party applications, because they trust the provided Authorization token can only be used within its limited scope.

I am happy to provide more information about the use case and my take on this.

[oavanruiten]

Other GitHub users have made great points here as well

https://github.com/orgs/heroku/projects/130/views/9?pane=issue&itemId=8567251

[vivekvj01]

Thanks for the feedback, we are looking at adding a more scoped approach to Oauth.

[oavanruiten]

Hi @vivekvj01, please let me know if any steps forward are made. I am very happy to be a beta reviewer.

[vivekvj01]

@oavanruiten we will engage you once we have a beta version of more granular oauth scopes. This work is however we are working on enabling 3rd party OAuth for Heroku teams https://devcenter.heroku.com/articles/authenticator-apps

[oavanruiten]

@vivekvj01 Thank you for the update. Good to see this has been moved to "Working on it" 👍

However, I think you were caught up in thoughts when writing your last sentence. Can you please rephrase it?

[vivekvj01]

hi we have just released this feature for online customers https://devcenter.heroku.com/articles/preview#limit-access-to-apps-via-oauth I believe what you are looking for is more granular controls and scoping for Oauth

[vivekvj01]

I have moved your request to this Roadmap item https://github.com/orgs/heroku/projects/130/views/9?pane=issue&itemId=72274628

Please let me know if that provides the clarity

[oavanruiten]

Hi @vivekvj01

Yes, I do not think this new feature helps us achieve our goal of creating custom scoped Authorization tokens. Or I might be missing something?

[vivekvj01]

Thanks @oavanruiten yes this new feature that i have logged will help with that. https://github.com/orgs/heroku/projects/130/views/9?pane=issue&itemId=72274628

This particular one is related to expanding this feature that was available to enterprise customers to pay-as you go customers. https://devcenter.heroku.com/articles/oauth#limit-access-to-apps-via-oauth

[vivekvj01]

This feature that was available to enterprise customers is not available for pay-as you go customers. https://devcenter.heroku.com/articles/oauth#limit-access-to-apps-via-oauth