https://authzed.com logo
OAuth Scopes
t

Toi

05/18/2023, 12:21 PM
Hello guys, another question 😅 Does it make sense to model oauth scopes into my schema? So instead of asking if an user has access to a resource, I would ask if a token has access to it. The token would inherit all the user permissions, but it would also have a set of scopes that grants only a subset of the user permissions. Does this make sense? If so, how could I model that?
Or is better to put the scopes inside the JWT and use caveats instead?
j

Jake

05/18/2023, 12:45 PM
I haven't personally modeled this out, but I'm curious to see what you come up with!
Both approaches seem reasonable
t

Toi

05/18/2023, 12:51 PM
Yeah, I'm trying to figure out a model still. But most importantly, I'm trying to see if it makes sense. I guess it does
j

Jake

05/18/2023, 12:56 PM
it will be the most performant solution too since it's all unions with no caveats
t

Toi

05/18/2023, 1:37 PM
Awesome, thanks! We are also now considering doing this coarser authorization via service mesh, with istio. So we would have 2 layers of authorization, one with claims with istio, and a granular one with spicedb
v

vroldanbet

05/18/2023, 6:42 PM
out of curiosity, what would y'all be doing at istio level, service-to-service authorization (e.g. this service can to talk to this service)? and then the granular one would be more of a check at the business domain?
t

Toi

05/19/2023, 5:20 PM
Kinda. The istio level would be to authorize based on access token scopes. So, even though the user has a lot of permissions, we might want to emit tokens with only a subset of those permissions
Istio would check if the token in the request is allowed to reach the /documents API. The application would then check if the user can read document:X
So if I want to emit a token without the read document scope, I don't need to remove the user permission. I just need to limit what that token can do
v

vroldanbet

05/19/2023, 5:41 PM
That makes sense, delegated (and attenuated) access via oauth tokens - even though the user may still have access 👍🏻 I suspect you could find ways to implement the attenuation in SpiceDB, but the nice thing is with the JWT you shed load from the application service. I still wonder if I'm overlooking the potential of the new enemy problem lurking somewhere in this mix.