Allow customization of Access Token Scope

irods / irods_client_http_api

An iRODS C++ HTTP API using Boost.Beast

BSD 3-Clause "New" or "Revised" License

0 stars 8 forks source link

Allow customization of Access Token Scope #248

Open MartinFlores751 opened 8 months ago

MartinFlores751 commented 8 months ago

We should allow the user to specify additional scopes along with the default oidc scope for further flexibility.

Example (Implementation may be different):

"openid_connect": {
  "additional_scopes": ["irods", "custom", "misc"]
}

MartinFlores751 commented 8 months ago

Perhaps even allow the oidc scope to be optional?

ll4strw commented 6 months ago

This is an interesting feature. But how would this in practice be used? Usually a bearer token contains scopes to communicate to the API server that not only has it been authorized to access the API, but also to limit which API ops/actions the bearer can execute. If what a bearer token can do is dictated by its irods_user_claim, with a hypothetical scope called only-data-objects for instance, would then the API have to restrict access to all collections endpoints?

korydraughn commented 6 months ago

We haven't spent any time thinking through the details due to other priorities, but we'll address this once work on 0.4.0 begins.