Select to view content in your preferred language

OAuth Scoped permissions

584
0
08-09-2023 02:31 PM
Status: Open
RuslanRydvanskiy
Emerging Contributor

When a developer builds a server side application, and uses ArcGIS Identity/OAuth 2.0 authentication (https://developers.arcgis.com/documentation/mapping-apis-and-services/security/arcgis-identity/serve...), the authentication code inherits all the privileges available to the user. In other words, every action that can be performed by the user in the UI can be performed using the token.

This creates unnecessary security risks for the applications, where privileges are more extensive than they need to be for the purposes of the app, and breaks the principle of least privilege, which is considered a best practice for OAuth 2.0 implementation.

All these privileges are already available when a new custom user role is defined or using the https://[root]/portals/[portalID]/roles/[roleID]/privileges   endpoint. Can these be available to be defined on a per-app basis when a new application is created? Or can these be specified in the parameters of the API request to the oauth endpoint during the authentication process?

 

Tags (2)