Am I able to use Scopes this way

I’m trying to use scopes for an application I’m working on. I’d like to use it to give granular access to our users. I want to be able to get all the scopes the user has related to our application. To give context of the application I work on, we use Okta to authentication and authorization. Users are required to log in to use anything on the application and our APIs verify the OKTA JWT on every request. Currently, we check users’ groups to give access to features of the frontend and API but we’d like to use scopes for more granular access. We use @okta/okta-auth-js on our frontend and @okta/jwt-verifier in our API.

For example, I’ve created an Authorization Server with Scopes, and Policies; Scope A is assigned to Policy A, Scope B is assigned to Policy B and Scope C is assigned to Policy C. A user is assigned to Policy A and C; when they log in I want to know they have Scopes A and C.

When I setup the example above, I use the Token Preview feature to see what I would get if I requested Scope A and C for the user and the result is the user is the error Policy evaluation failed for this request, please check the policy configurations.. However, when I request only Scope A , it’ll be successful and it’ll also succeed when I request only Scope C. I expected when I requested Scope A and C for the user that it would be successful. Ideally, I’d like to request all the scopes and only be given a JWT with the scopes the user has access to.

Am I trying to use scopes incorrectly? Whats the best way to do what I’m trying to accomplish?

@fmanansala It seems as though the policy is strictly all or nothing. How many scopes do you intend to have? If only three, can you try listing all the possible variations? Otherwise, maybe create a custom claim that you can link to a scope and get your required info for access there—https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/main/. For example, customScope with claims [a, b, c]. Here is an example for a string, but you can also do this with an array – Okta Help Center (Lightning) .

Thanks for responding I’m interested in using scopes to break down features within our application so then we can give access granularly to users. So I’d like to have more than 10 scopes. The example I gave is a small example. The number of scopes and variations will grow overtime.

It’s good to know that I can’t request an array of scopes that are require multiple policies. I looked into claims but I’m not seeing how it’ll do what I want.

To give a more realistic example and close to what I wanted to achieve, Scopes A, B, C, D, E, F, G, H, I, J, K, L, and M and they are assigned to Policies A, B, C, D, E, F, G, H, I, J, K, L, and M receptively. I’d like User A to be given Policies A, B, E, J, K, L and M then be able to request an access token with the scopes A, B, E, J, K, L and M for User A. At the same time I’d like User B to be given Policies A, B ,C, D, F, G, H, I, and L then be able to request an access token with the scopes A, B ,C, D, F, G, H, I, and L for User B. I’d like to do this with any variants for our users. We’ll leverage Okta Groups for the generic variants but would like to satisfy one of cases where 1 user needs slightly more access then the generic Okta Groups.

From my understanding so far, for the one off cases, I think I’ll need to create a Access Policy with the exact scopes and assign that Access Policy to the user. Is this my best option to achieve what I want? Is this how scopes were intended to be used?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.