OAuth2 client_credentials scope association for every application


#1

Hello. I would like to suggest a feature for OAuth2 plugin. When configuring a new application, I would like to specify some scopes that will be associated to the client when requesting a token. This feature would allow to give different permission for every client application

To be more precise, suppose I configure the plugin with three scopes: read write modify

curl -X POST http://kong:8001/plugins \
    --data "name=oauth2"  \
    --data "config.scopes=read,write,modify" \
    --data "config.enable_client_credentials=true"

Then I create an application associated to the consumer foo (I skip the consumer creation)

curl -X POST http://kong:8001/consumers/foo/oauth2 \
    --data "name=bar"  \
    --data "client_id=client_id" \
    --data "client_secret=client_secret" \
    --data "redirect_uris[]="http://some-domain/endpoint/" \
    --data "scopes=read,write"

Now my application has only read and write scopes associated. When the application creates a token, it receives only those scopes or a subset if it requires just one of them. Otherwise, if it tries to acquire the modify scope, it gets an error.

This call, will get a token with scopes read and write

curl -X POST https://kong:8443/oauth2/token \
    --data "grant_type=client_credentials" \
    --data "client_id=client_id" \    
    --data "client_secret=client_secret"

This one, will get a token with read scope

curl -X POST https://kong:8443/oauth2/token \
    --data "grant_type=client_credentials" \
    --data "client_id=client_id" \    
    --data "client_secret=client_secret"
    --data "scopes=read"

This one, will get an error response

curl -X POST https://kong:8443/oauth2/token \
    --data "grant_type=client_credentials" \
    --data "client_id=client_id" \    
    --data "client_secret=client_secret"
    --data "scopes=write"