Auth0 Home Blog Docs

How do I add a scope to a user?

scopes

#1

How would I assign a scope to a user? For example I have the following…

@GetMapping("/admin")
@PreAuthorize("hasAuthority('read:client_grants')")
public void getAdmin(){
	System.out.println("Free Bird!");
}

So how do I add the read:client_grants to a user?


#2

@jackiegleason this shouldn’t be done directly. For example when Auth0 issues a token it issues scopes the resource owner is allowed to see. The resource owner in this case is the user. This user does not technically own that data so auth0 will not issue a toke on behalf of a user to get at that data.

The user happens to be an admin, but this does not mean they are the owner of the resource. From an OAuth standpoint the client owns that data and is the resource owner. To allow an admin to see this data you must create your own confidential client (could be a regular web application or an API) that the admin can talk to. This API would then, via client credentials, request a token with read:client_grants.