Verifying scopes on the resource server or API proxy?

ian-ridian · June 29, 2022, 8:53pm

Hi there,

When using the access_token to make authenticated requests to an OAuth2 protected API:

How does the resource server typically validate that the requests have the appropriate scopes?
How are scopes typically associated to API endpoints / any documentation on best practices around is?

Based on docs I’ve read so far, I see that Okta suggests libraries to validate the tokens locally (or remotely via /v1/introspect), but that only checks the validity of the token, not the permissions.

Thank you in advance!
Ian

ian-ridian · July 4, 2022, 9:12pm

For context, I’m trying to secure an API key/pair protected API with OAuth2, and am trying to keep the security checks as decoupled as I can because I don’t have access to the target server codebase. Would love to hear if this is a common or known use case!

Anyway, what I ended up doing for now for my proof-of-concept was implementing two python decorators: one for local token validation and one for scope checks. I used the python-jose (jwt) library.

Post		Replies	Views
Validating JWT Tokens w/o Auth Server OAuth/OIDC dotnet , api	5	6324	January 23, 2024
Failure to valide access token generate using org authorization server OAuth/OIDC	3	26	November 26, 2024
Scope issue when authorizing Oauth OAuth/OIDC api , java	2	2627	June 13, 2022
Python flask - cannot validate acess token Questions	9	4243	February 4, 2022
Securing Rest endpoints / Scopes Questions	1	2245	February 13, 2024

Verifying scopes on the resource server or API proxy?

Related topics