Does anyone know the limit for number of scopes which can be defined to one API?
I want to define a scope per user group, and the number of user group could reach to a big number. and wondering if there is any limit I should take into account.
Hey there @j.makishi!
Let me ask internally so I can provide you with accurate info!
In our doc on scopes there is no info about the limit:
Will followup as soon as I get something.
1 Like
Hi @j.makishi.
There’s no documented limit for the number of scopes that you can add to an API definition. If the scopes you are providing will be dynamically requested/added and you don’t need a consent for them, you can add a scope in a rule without it being previously defined for the API.
In terms of the number of scopes that can actually be included in a token, you might be bound by the size of the JWT token when used in the Authorization header (the HTTP protocol doesn’t define any limit either, but most web servers enforce 8-16 KB).
Are you planning to use the scope in the OAuth2 concept, where an application specifies the level of access it requires (e.g. “For this user, I want access to their resources in group A”), or as a mean of conveying permissions information in the token (“this user belongs to group A, B and C”)?
If the later, you might be better served by a different claim (e.g. https://yourcompany.com/claims/groups), as scopes should carry the level of access granted to the application in the token. See On The Nature of OAuth2’s Scopes for a great post on that.
Hope this helps.
1 Like
Thank you very much for the kind answer.
I was looking for a definition limit (precisely, limit of number of scopes for /resource_servers), and didn’t know it can be dynamically added in a rule. Looks it is a preferable option to us, I will try it out.
My use case is “For this user, I want access to their resources in group A”, and each JWT only has one scope “group A”. I am thinking to split my API server to per group base serverless function, and it would be simpler if each function only needs to verify a group in the scope.
Thanks!
1 Like