oauth-2.0scopes

Do we use "scope" for client credential grant type? Why?


In most OAuth2 typical use cases, the scope is used by resource owner password grant type, or authorization code flow, where a user login is required.

It seems that scope is mainly used to control access of users' resource. For example, to authorize a 3rd party client to access the resource owner (user) resource at another server.

In some cases, user is not present. For example, a company wants to provide a API for another company only. Client credential is being used. Most API gateway products have subscriber management option to control which client ID can access which APIs. In that case, is it still meaningful to use OAuth scopes to manage access to APIs? Why?

Besides, I cannot find any examples using scopes along with client-credential grant type. Is it rare use case?


Solution

  • The Client Credentials grant type is used to access protected resources that both sides own/control/trust.

    Scopes are supported by this grant type. They are typically not used because the trust is already there and limiting that trust via scopes is not required.

    In other words, the reason that scopes are not used is that if the trust is not there, other grant types are more appropriate.