I am recently using OAuth2 of CF-UAA in my application, when the request comes to my client I redirect to the CF-UAA to generate an access token where I can ask for different scopes. I wanted to know how we can limit the scopes a client can ask for? And are the scopes in CF-UAA is extendable or fixed?
Thanks in advance
when the request comes to my client I redirect to the CF-UAA to generate an access token where I can ask for different scopes. I wanted to know how we can limit the scopes a client can ask for?
When you create the UAA client, you'll tell it what scopes this particular client should be able to utilizes. If you give the client scope "foo" and "bar", that's all the client can request. It could not request "baz" because it's not in the list of allowed scopes in UAA.
It's up to the administrator or whomever is creating the UAA client to set an appropriate list of scopes. If you don't trust that individual, then they should not be allowed to create the client in the first place. Generally a trusted individual would be the one to create clients.
And are the scopes in CF-UAA is extendable or fixed?
Scopes are just strings. Meaning to those strings is applied by the resource server. There are fixed sets of scopes for interacting with established services like UAA itself or for interacting with CF. If you are creating an app that is secured by Oauth2 (resource server), then it's your responsibility to dictate which scopes are available and what permissions they grant.
For example, Cloud Controller (resource server) recognizes "cloud_controller.admin", "cloud_controller.read" and "cloud_controller.write". If you assign one or more of these scopes to a client, it could obtain them and use them to do various things on Cloud Controller. If you tried to use the scope "cloud_controller.god" nothing would happen because Cloud Controller does not recognize and assign permissions to that scope.
Hope that helps!