I’m currently building an API that use Hydra for the oauth2 mechanism and Oathkeeper for the introspection and reverse proxy.
Our API scopes are inspired by the Google APIs scopes:
Some example for our datamodel API:
They are hierarchic, which means if you give the scope
org.example.api:datamodel.models you will have access to
org.example.api:datamodel.models.readonly but no
The way I handle that for the moment is by configuring Hydra and Oathkeeper with the hierarchic scope strategy. The problem is that it has been deprecated (I guess it’s because it’s too permissive).
Also the second problem is that I can’t control what scope the users are requesting while calling the authorization endpoint (They could ask for
Another way I could handle my scopes would be to configure Hydra and Oathkeeper with the exact scope strategy and to set in the
required_scope field in the rules a list of scopes in which the user should at least possess one.
Example with a models readonly endpoint (the user should have at least one of these scopes to be able to call this endpoint):
The problem with this method is that the field
required_scope in the Oathkeeper rule works with an AND logic and this method require an OR logic.
Do you have any thought on how I could handle my scopes or make Oathkeeper working with an OR logic ?
Thanks in advance for any help