Scope "design" and API responsibility - confirming my understanding

My app consists of an Angular client and .NET Core Web API. I’m working on creating scopes, as explained in the docs (“Example: An API called by a first-party application”).

In my application, I have “widgets” that are owned and shared.

• all users can create widgets
• users can share widgets with other users
• users can update/view/delete their own widgets
• users can view widgets that are shared with them.

For the scopes, I’ve come up with:

create:widget
view-own:widget
view-shared:widget
delete-own:widget
update-own:widget

The applicable scopes will be sent to the API in a JWT.

The API will receive these scopes, and it’s the responsibility of the API to “convert” these scopes into actual permissions and actions. For example:

DeleteWidget(widget) {

  if(scopes.contain("delete-own:widget") && widget.owner == user)
  { 
   // delete the widget 
  }
}

Am I on the right track here regarding the scope definitions and responsibility of the API?

Thanks!

Hi @mplgn

Welcome to the Auth0 community!

As far as I can see in the snippets you have posted regarding the matter, it appears that the scopes you have defined seem to be pretty clear, specifying if they are allowed to manage an widget they own or a shared one. Also, you seem to be checking the scopes of the user and what kind of widget they are trying to manage (their own or others). If the widget owner and scopes are assigned correctly, then it appears that everything seems to be set up correctly as far as it goes.

If you have any other questions, feel free to leave a reply!

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.