Hello,
I need some clarifications about API authorization from an SPA. In the doc I noticed this paragraph about how to determine a user’s scope
Determine a User’s Scopes
You can use scopes to make decisions about the behavior of your application’s interface.
You can specify which scopes you want to request at the beginning of the login process.
If a scope you requested is available to the user, their access token receives a scope claim in the payload. The value of this claim is a string with all the granted scopes, but your application must treat the access token as opaque and must not decode it. This means that you cannot read the access token to access the scopes.
To get the scopes, you can use the value of the scope parameter that comes back after authentication. This parameter is a string containing all the scopes granted to the user, separated by spaces. This parameter will be populated only if the scopes granted to the user are different than those you requested.
To see which scopes are granted to the user, check for the value of authResult.scope. If there is no value for authResult.scope, all the requested scopes were granted.
If I understand, during the login process I need to ask for the scopes the user need to have to use the SPA. For example, my SPA needs read:article, publish:article and delete:article and supposed that my user just have the read:article permission. So, a token will be forged with only the read:article scope.
What is not very clear to me is where my SPA can get this user’s scope in order to hide/display the “edit” and “delete” buttons.
These 2 sentences :
you cannot read the access token to access the scopes
and
To get the scopes, you can use the value of the scope parameter that comes back after authentication
need some clarification.
Thank you for your help