OAI
ClientCredentials scopes request
Hi,
It seems confusing that scopes can be specified for ClientCredentials (as we are doing here). This hints that select scopes can be included in the request. However, that is not a supported feature of oauth.
So I'm wondering if this is a mistake and you shouldn't actually be allowed to list scopes for ClientCredentials? Or is there a usage for having them there which I am overlooking - if so, I'd very much like to learn about it, pls.
Thanks, Nis
hello @nissimsan
in your OAS you can defines that you are using Oauth2 , client credential flow exactly as your are doing in your spec
securitySchemes:
OAuth2:
type: oauth2
flows:
clientCredentials:
tokenUrl: https://example.com/oauth/token
however in your spec your are not defining the scope array that is mandatory filed (can be empty)
securitySchemes:
OAuth2:
type: oauth2
flows:
clientCredentials:
tokenUrl: https://example.com/oauth/token
scopes :
- readPresentation : allow to read a presentation
- writePresentation: allow to cerate and update presentation
this is listing the "available scope" on your API (here read and write)
notice that you can request scope when you are asking for a token but it is not guarantee that you will get it
POST /token HTTP/1.1 Host: your-oidc-server.com Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials& client_id=your-client-id& client_secret=your-client-secret& scope=readPresentation writePresentation
might only return you read ...
then on the endpoint in your API you will set something like this
post:
summary: Present
operationId: submitPresentationWithOAuth2Security
description: >
Create a presentation. This endpoint allows clients holding a valid OAuth2 access token to create a presentation.
tags:
- Presentations
security:
- OAuth2: [writePresentation]
and this might fail if you have the server only gives you the readPresentation scope (despite you requested read &write)
