Scopes vs API permissions

jflebeau · April 1, 2023, 2:10pm

Hi, with those settings enabled for an API:

In the backend, I get all the user’s permissions in the access token (permissions claim), is there any security issues with this approach? I understand that with he recommended way, i.e. adding the scopes on the client side so that you get intersection of the client-side scopes and API permissions in the scope claim of the access token, you don’t give permissions that are not requested, but I don’t see anything critical about it, I am missing something?

ty.frith · April 6, 2023, 11:37pm

Hi there @jflebeau!

Put simply, permissions (privileges when assigned to a user) relate to the actions a user can take for a given resource whereas scopes, generally speaking, are requested by the client (app) to act on behalf of the user. Adding permissions to the access token via RBAC is an acceptable approach that doesn’t introduce any security issue. The following blog post and accompanying video is very helpful in outlining the differences:

Hope this helps to clarify!

Topic		Replies	Views
Scopes vs Permissions confusion Get Help	10	16738	December 8, 2020
Scopes VS RBAC with respect to Access Control Get Help consent , application	4	1541	October 18, 2024
Difference between scopes and permissions in access token Get Help scopes , permissions	5	10768	August 31, 2019
Permissions: claim or scopes Get Help scopes , claims , permissions	11	18621	December 8, 2020
Scopes and permissions with RBAC for Machine-to-machine authentication Get Help auth0 , api , scopes , client-credentials-g	2	7490	June 11, 2020

Scopes vs API permissions

Related topics