Limit for number of scopes per API

j.makishi · January 23, 2019, 8:25am

Does anyone know the limit for number of scopes which can be defined to one API?

I want to define a scope per user group, and the number of user group could reach to a big number. and wondering if there is any limit I should take into account.

konrad.sopala · January 23, 2019, 11:31am

Hey there @j.makishi!

Let me ask internally so I can provide you with accurate info!

In our doc on scopes there is no info about the limit:

Will followup as soon as I get something.

nicolas_sabena · January 23, 2019, 12:05pm

Hi @j.makishi.

There’s no documented limit for the number of scopes that you can add to an API definition. If the scopes you are providing will be dynamically requested/added and you don’t need a consent for them, you can add a scope in a rule without it being previously defined for the API.

In terms of the number of scopes that can actually be included in a token, you might be bound by the size of the JWT token when used in the Authorization header (the HTTP protocol doesn’t define any limit either, but most web servers enforce 8-16 KB).

Are you planning to use the scope in the OAuth2 concept, where an application specifies the level of access it requires (e.g. “For this user, I want access to their resources in group A”), or as a mean of conveying permissions information in the token (“this user belongs to group A, B and C”)?

If the later, you might be better served by a different claim (e.g. https://yourcompany.com/claims/groups), as scopes should carry the level of access granted to the application in the token. See On The Nature of OAuth2’s Scopes for a great post on that.

Hope this helps.

j.makishi · January 25, 2019, 6:19am

hi @nicolas_sabena

Thank you very much for the kind answer.
I was looking for a definition limit (precisely, limit of number of scopes for /resource_servers), and didn’t know it can be dynamically added in a rule. Looks it is a preferable option to us, I will try it out.

My use case is “For this user, I want access to their resources in group A”, and each JWT only has one scope “group A”. I am thinking to split my API server to per group base serverless function, and it would be simpler if each function only needs to verify a group in the scope.

Thanks!

Topic		Replies	Views
Missing permission (scope) from the token if the user has more then 53 Help jwt , scopes	2	4489	July 13, 2020
Questions about "Scopes per API" limit Help management-api , roles	4	394	February 23, 2024
Scopes limit in access_token for APIs Help api , scopes , access_token , access-token , scope	6	5333	March 2, 2018
Ways to support large number of scopes in OAuth? Help jwt , auth0	2	1687	November 3, 2022
How to restrict scopes requested by a third-party application Knowledge Articles authorization , scope , authorization-flow	1	1811	November 10, 2022

Limit for number of scopes per API

Related Topics