OAuth Token Scope inheritance

115 views
Skip to first unread message

Sam Gurtman

unread,
May 28, 2015, 10:54:01 PM5/28/15
to basespace-...@googlegroups.com

Hello,

Just to clarify, when you ask get a new access token with additional scopes, do those new scopes also apply to the old access token? 

For example, if I ask for read permission on a project, will only the new access token have that permission, or will both the new and old?

Sam Gurtman

unread,
Jun 4, 2015, 8:48:08 PM6/4/15
to basespace-...@googlegroups.com
Bumping as this is a blocker for some development I'm doing. Just to clarify, when you already have an access token and perform the oAuth flow again with increased scopes, what happens to the old oAuth token? Is it still valid, and will the new scopes transfer to it?

Maxim Mass

unread,
Jun 4, 2015, 9:14:10 PM6/4/15
to basespace-developers on behalf of Sam Gurtman
For web applications, new tokens will also contain rights from
previous tokens to the same user. This allows a new token to
accumulate rights to data items that have been previously requested
while allowing you to only maintain the newest token.

On Thu, Jun 4, 2015 at 5:48 PM, Sam Gurtman via basespace-developers
<basespace-developers+APn2wQeaaNB...@googlegroups.com>
wrote:
> --
> You received this message because you are subscribed to the Google Groups
> "basespace-developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to basespace-develo...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Sam Gurtman

unread,
Jun 4, 2015, 9:15:30 PM6/4/15
to basespace-developers on behalf of Maxim Mass

Yes, I'm aware of this. I'm asking specifically about the old, previous tokens.

You received this message because you are subscribed to a topic in the Google Groups "basespace-developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/basespace-developers/eVc2lvJU1Yw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to basespace-develo...@googlegroups.com.

Maxim Mass

unread,
Jun 4, 2015, 9:17:42 PM6/4/15
to basespace-developers on behalf of Sam Gurtman
Older tokens don't change upon requesting new ones.

Maxim Mass

unread,
Jun 4, 2015, 9:20:51 PM6/4/15
to basespace-developers on behalf of Sam Gurtman
I should add that you can get information about a given token by going to

https://api.basespace.illumina.com/v1pre3/oauthv2/token/current?access_token={your
token}
It'll show the scope and basic details, but doesn't list specific
resources it has access to. Though thats easy enough to lookup simply
by browsing the API with the token.

Sam Gurtman

unread,
Jun 4, 2015, 9:33:52 PM6/4/15
to basespace-developers on behalf of Maxim Mass

Thanks, one follow up, is it possible to get a new token with only certain scopes, or remove existing scopes from an issued token?

Maxim Mass

unread,
Jun 4, 2015, 9:43:50 PM6/4/15
to basespace-developers on behalf of Sam Gurtman
Sorry no it's not currently possible. We may consider deprecating this
inheritance or making it an explicit opt-in perhaps via a scope
parameter. Are you finding it useful for your scenario?

On Thu, Jun 4, 2015 at 6:33 PM, basespace-developers on behalf of Sam

Sam Gurtman

unread,
Jun 4, 2015, 9:55:23 PM6/4/15
to basespace-developers on behalf of Maxim Mass
An explicit opt in would be very useful. I'd rather not keep permissions on a user's specific resource if they're no longer required.

Cheers
Samuel Gurtman
Web Apps Developer
P: +64 9 379 5064 | M: +64 22 068 4916
BIOMATTERS
Reply all
Reply to author
Forward
0 new messages