API Terms Definition/Clarification

65 views
Skip to first unread message

AR

unread,
Sep 15, 2016, 10:37:13 AM9/15/16
to API Craft
I hope you don't mind if these questions are totally out of place.

1. Is client_id and client_secret tied to a specific audience in terms of issuing encrypted JWT considering the public/private key used to encrypt/decrypt the JWT for the particular client_id is of that audience (where it belongs)?
2. Is scope a list of permissions the application requests to be granted and is reviewed by the user? Even though a user has allowed the scope requests, will he api also check if these scopes are valid for this client_id?

Andrew B

unread,
Sep 21, 2016, 3:44:26 PM9/21/16
to API Craft


On Friday, 16 September 2016 02:37:13 UTC+12, AR wrote:
I hope you don't mind if these questions are totally out of place.

1. Is client_id and client_secret tied to a specific audience in terms of issuing encrypted JWT considering the public/private key used to encrypt/decrypt the JWT for the particular client_id is of that audience (where it belongs)?

This exact question is answered here. http://stackoverflow.com/a/28503265/2480751

In short client ID (and client secret) are the client, whereas audience is the resource server.
 
2. Is scope a list of permissions the application requests to be granted and is reviewed by the user? Even though a user has allowed the scope requests, will he api also check if these scopes are valid for this client_id?


Scope is a list of permissions.

There are several different grant types in OAuth. In the most widely known one - authorization code grant - the end user typically does get to review and approve the list of scopes.

Authorization code grant is really intended for cases where the end user is also the resource owner (e.g. you more or less own your email address).

This is not the case typically for enterprise/business resources, where the corporate is the owner of the resources (e.g. the corporate owns the HR records that you wish to access). Hence when you use enterprise systems you do not commonly see dialogues popping up asking if you wish to "allow blah to access to HR records" - they don't belong to you in the first place.

Reply all
Reply to author
Forward
0 new messages