31

I'm Using Spring Security OAuth2 and currently implemented the client_credentials and password grant types. I noticed a client has both scope and authorities. Can someone please explain what the difference is? To be more specific, I'm using the JDBCTokenStore and the database schema has a oauth_client_details table.

Also,

In the oauth_client_details table, I'm not sure what the following fields are used for:

web_server_redirect_url, access_token_validity,refresh_token_validity

Some clarification would be very helpful and appreciated.

Michael LoCicero
  • 423
  • 1
  • 5
  • 11
  • 1
    I have the same question. [Found Springs presentation on slideshare](http://www.slideshare.net/SpringCentral/syer-oauth-model), where it said that they distinguish scopes and authorities: user tokens use scopes, client tokens - authorities. But I can't find any reason to do it. Did you finally found an answer? – pls Jul 31 '16 at 12:28
  • What I've found is that it is not defined - it's really up to you, the one who is implementing the OAuth2 server. The post below has a good example of what scope could be used for. – Michael LoCicero Aug 01 '16 at 16:59
  • 5
    Possible duplicate of [Difference between scope and authority in UAA](https://stackoverflow.com/questions/35691051/difference-between-scope-and-authority-in-uaa) – EagleRainbow Oct 21 '17 at 08:41

1 Answers1

29

I noticed a client has both scope and authorities

The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn't explain specific usage of scope.

Consider this, a user authorizes Twitter to post a user's tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. Although user has authority to change it's own profile but this doesn't mean that Twitter can also change user's profile. In other words, scope are client authorities/roles and it's not the User's authorities/roles.

web_server_redirect_url

This will be used by authorization server to redirect the request to its original URL or callback(authorization grant) after successful authorization.

access_token_validity

This is the token_access expiration time in seconds. Set to -1 or 0 for infinite. If you set it to 60, then after 1 minute your token_access will be invalid. You have to either request a new token by doing the authorization process or use refresh_token.

refresh_token_validity

This is refresh_token expiration time.

rj2700
  • 1,770
  • 6
  • 28
  • 55
KSTN
  • 2,002
  • 14
  • 18
  • "because OAuth spec doesn't explain specific usage of scope.". Please explain why you think so. Perhaps some links that explain it further? – AlikElzin-kilaka Jun 21 '17 at 12:53
  • @AlikElzin-kilaka you can find it here https://tools.ietf.org/html/rfc6749#section-3.3 – KSTN Jun 23 '17 at 01:05