Need some conceptual guidance of scope vs roles

Question

I'm trying to wrap my head around scopes for this scenario.

I have a SPA client and an API. The client only communicates with this API and the API has no other clients communicating with it.

The application has two access levels, say a user and an admin (the SPA may block some routes for the user and the API may block some endpoints).

The roles are administered with AD-groups and mapped to the roles claim.

So what role does scopes play in this scenario? I do all authorization based on the roles claim. But I still need to specify a scope, so I have a API://[clientid]/all scope. Could someone help me make sense of all this?

Answer 1

Scopes are fixed at design time. They are high level privileges that indicate an area of data and what you can do with that data. These are often used as sanity checks, eg to prevent tokens for a valid user but wrong app being used to call an API.

orders_read

Claims are dynamic values looked up at runtime, and tend to have different values for different users. Pretty much all real world authorization is based on claims:

role = supervisor
company_id = 407

So in your case just define a scope or two, but keep them high level and easy to manage. Your claims based authorization (using roles) seems fine.

FURTHER INFO

At Curity we have a couple of good docs that explain the science of designing authorization based on OAuth standards:

• Scope Best Practices
• Claims Best Practices