OAuth 2.0 Scope parameter vs OAuth 2.0 JWT access_token scope claim

Question

I was going through the following article on authorization:

https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/02-authorization

It sort of confused me a bit.

Auth0 uses a scope claim for mentioning authorization of endpoint actions.

OAuth 2.0 scope parameter is also used for the same purpose, e.g. Slack mentions it's scopes as in following link:

https://api.slack.com/docs/oauth-scopes

What would be their use cases, when would I prefer using JWT claim scope which is part of OAuth 2.0 access_token(in this case access_token not being opaque) instead of OAuth 2.0 scope parameter

Answer 1

The OAuth 2.0 scope parameter is defined within the specification as a way for the client application request specific access and then be informed by the authorization server which access was indeed granted.

Both scenarios you mentioned seem pretty consistent with this use case; a way to specify the access/permissions you were granted.

The big difference is that in one case by-value tokens (JWT) are being used and the other uses by-reference tokens (opaque). If the token is self-contained as it is in the case of the JWT you will have to include the information within it and the claim they used was the scope claim.

In summary, the scope parameter is a way to transmit the access you require and the access you were indeed granted. This information will also need to be stored in association with the issued access token. If it's a JWT, it will most likely be stored in the token itself; if it's an opaque token it will most likely be stored server-side.