Open MartinFlores751 opened 8 months ago
Perhaps even allow the oidc
scope to be optional?
This is an interesting feature. But how would this in practice be used? Usually a bearer token contains scopes to communicate to the API server that not only has it been authorized to access the API, but also to limit which API ops/actions the bearer can execute. If what a bearer token can do is dictated by its irods_user_claim
, with a hypothetical scope called only-data-objects
for instance, would then the API have to restrict access to all collections endpoints?
We haven't spent any time thinking through the details due to other priorities, but we'll address this once work on 0.4.0 begins.
We should allow the user to specify additional scopes along with the default
oidc
scope for further flexibility.Example (Implementation may be different):