Home > Net >  Limiting the scopes of an OAuth 2.0 flow
Limiting the scopes of an OAuth 2.0 flow

Time:06-29

I want to set up a OAuth 2.0 flow in my code.

I want my code, to be limited to specific scopes (even if someone accidentally writes some extra code to request additional ones).

Let's assume I want my code to be able to only access photos in facebook.

Is the only place to restrict the scope during the request to the authorisation server, e.g.

https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
  &redirect_uri=REDIRECT_URI&scope=email&state=1234zyx

Or is there a way to enforce this restriction when issuing client_id and client_secret so that the following request will eventually fail?

https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
  &redirect_uri=REDIRECT_URI&scope=email,posts&state=1234zyx

My use case is for google APIs btw.

CodePudding user response:

Not enough details provided to know what you are trying to accomplish; But generally:

  • The OAuth client may request any scope desired.
  • The resource owner (Could be end user "consent screen" or Google if using APIs) may NOT delegate some or all requested scopes.
  • The Authorization Server may ignore some or all requested scopes for many reasons.

Page link:https//www.codepudding.com/net/458625.html

Prev:Assigning to copy of a map seems to be modifying the original
Next:Why is GCC make throwing errors and uneccesary warnings only when using the struct name instead of t
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding