securityoauth-2.0oauthgoogle-oauth

Limiting the scopes of an OAuth 2.0 flow


I want to set up a OAuth 2.0 flow in my code.

I want my code, to be limited to specific scopes (even if someone accidentally writes some extra code to request additional ones).

Let's assume I want my code to be able to only access photos in facebook.

Is the only place to restrict the scope during the request to the authorisation server, e.g.

https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
  &redirect_uri=REDIRECT_URI&scope=email&state=1234zyx

Or is there a way to enforce this restriction when issuing client_id and client_secret so that the following request will eventually fail?

https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
  &redirect_uri=REDIRECT_URI&scope=email,posts&state=1234zyx

My use case is for google APIs btw.


Solution

  • Not enough details provided to know what you are trying to accomplish; But generally: