OAuth2 - User role based Authorization

Question

I am newbie to oAuth2 security. I have a question regarding the User Role based Authorization to access REST resources. My internet surfing gave inputs on Authentication part of oAuth2.

Let me provide you the scenario which is bothering me.

I have a REST webservice which has methods to READ (HTTP get),INSERT(HTTP post),UPDATE(HTTP put) and DELETE(HTTP delete) a given resource.

I have two user roles “STANDARD” and “ADMIN”. “STANDARD” user can only invoke READ (HTTP get) and “ADMIN” can access INSERT,UPDATE and DELETE methods. How can I achieve the same?

Which oAuth2 grant flow should be considered?

Can you point me to the solution on User Role based Authorization of REST resources?

Travis Spencer Travis Spencer · Accepted Answer · 2020-08-30T13:20:30

OAuth doesn't define how authentication is done, but it does say that it's required in some cases. When it is, like with the code flow or ROPC, the authorization server will know the identity of the user. From there, it can lookup what groups the user is in or which roles they have. From this, the authorization server can issue an access token with a certain scope (e.g., read for STANDARD users and write for ADMIN users). Then, in the API, it will only check the scope of the access token, and not have to worry about role-based access. Another way would be to put the group/role into the token issued by the authorization server (as a claim). Then, the API can see the group/role and decide if write should be allowed or if only read is OK.

OAuth2 - User role based Authorization

1 Answers