Hello. I would like to suggest a feature for OAuth2 plugin. When configuring a new application, I would like to specify some scopes that will be associated to the client when requesting a token. This feature would allow to give different permission for every client application
To be more precise, suppose I configure the plugin with three scopes: read write modify
curl -X POST http://kong:8001/plugins \
--data "name=oauth2" \
--data "config.scopes=read,write,modify" \
--data "config.enable_client_credentials=true"
Then I create an application associated to the consumer foo (I skip the consumer creation)
curl -X POST http://kong:8001/consumers/foo/oauth2 \
--data "name=bar" \
--data "client_id=client_id" \
--data "client_secret=client_secret" \
--data "redirect_uris[]="http://some-domain/endpoint/" \
--data "scopes=read,write"
Now my application has only read and write scopes associated. When the application creates a token, it receives only those scopes or a subset if it requires just one of them. Otherwise, if it tries to acquire the modify scope, it gets an error.
This call, will get a token with scopes read and write
curl -X POST https://kong:8443/oauth2/token \
--data "grant_type=client_credentials" \
--data "client_id=client_id" \
--data "client_secret=client_secret"
This one, will get a token with read scope
curl -X POST https://kong:8443/oauth2/token \
--data "grant_type=client_credentials" \
--data "client_id=client_id" \
--data "client_secret=client_secret"
--data "scopes=read"
This one, will get an error response
curl -X POST https://kong:8443/oauth2/token \
--data "grant_type=client_credentials" \
--data "client_id=client_id" \
--data "client_secret=client_secret"
--data "scopes=write"