foundation-API icon indicating copy to clipboard operation
foundation-API copied to clipboard

Published 20 hours ago verified publisher icon buildingSMART

Introduce `required_scopes` as parameter for the authentication response

Open GeorgDangl opened this issue 3 years ago • 3 comments

Some OAuth2 / Open ID Connect providers require that clients include a scope parameter when requesting an access token. It looks like all CDE servers can add a default one if none was included, but a new feature to include something like required_scopes (maybe even scoped by API?) could be added to the authorization endpoint, so that final responses could look like this:

{
    "oauth2_auth_url": "https://example.com/opencde/oauth2/auth",
    "oauth2_token_url": "https://example.com/opencde/oauth2/token",
    "oauth2_dynamic_client_reg_url": "https://example.com/opencde/oauth2/reg",
    "http_basic_supported": true,
    "supported_oauth2_flows": [
        "authorization_code_grant",
        "implicit_grant",
        "resource_owner_password_credentials_grant"
    ],
    "required_scopes": [{
        "api": "bcf",
        "scope": "bcf offline_access"
    }]
}

GeorgDangl avatar Jun 22 '21 14:06 GeorgDangl

available_scopes is, in my opinion, a more descriptive name

ykulbak avatar May 17 '22 05:05 ykulbak

For 1.x, we're relying on a manually process. That means, developers connecting to an OAuth2 capable server should find out the required scopes for the specific instance and handle it in their own code.

GeorgDangl avatar Jun 20 '22 09:06 GeorgDangl

Sep 25th 2023, group discussion. See comment from the same date on https://github.com/buildingSMART/foundation-API/issues/25

ykulbak avatar Sep 25 '23 09:09 ykulbak