Is it possible to create wildcard scopes on an okta authorization server? For example, I want to create a wildcard scope such as service_name/*, and a client should be able to request for a scope such as service_name/resource.read and be granted that because it matches the format of the wildcard scope. I tried doing this on the dashboard but requesting for the full scope results in an invalid scope error.
This breaks away from the oauth specs since the requested scope MUST NOT include any scope not originally granted by the resource owner. Good to add it here Okta ideas
@krishna I disagree with you there. You are reading the spec about refreshing a token. It’s sensitive that when refreshing, you cannot expand your permissions. But the spec is much more permissive about granting scopes in the first place (page 23): “The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner’s instructions”. Which is very open-minded there. The partially is interesting. You could say, this user has right for the scope “something.*” and you would validate that the user as the right to something but ignore what follows and grant that way. You could make a subsequent API call on the app before granting this scope. But it totally make sense and we’d like this too.
@FraiseVache Thank you for the clarification Yep, I have been looking at the wrong aspect, I appreciate it.
To clarify, Okta currently doesn’t support wildcards in Scopes maybe due to choice of keeping permissions tight. Nevertheless, it effectively aligns with specifications where feasible.