Regarding the Access Token != Permission statement

ORY Hydra
#1

Hi All,

I’m reading the doc and saw this:

In an extreme case, the user could lie and grant an external application OAuth scopes that he himself doesn’t have permission to (“read all classified documents”). The OAuth Access Token with those scopes wouldn’t help the external application read those documents because it can only act in the name of the user, and that user doesn’t have these access privileges.

I am a bit confused. As far as my experience goes, Access Token has always been considered as a symbol of permission. I don’t understand how a user could lie and be granted an valid Access Token? Shouldn’t the Consent Provider verify user’s permission prior to replying Authorization Server?

I could be wrong though. Any info will be appreciated. Thanks in advance :grinning: :pray:

#2

Yes, as a “symbol” (certificate) of permission between the user and the OAuth2 app, not between the OAuth2 app and the actual API (“Resource Server”).

No, a token scope can not be changed without revoking the token. If you have an admin, and remove a user’s admin privileges, the access/refresh token still has the admin scope.

1 Like
#3

Thanks @hackerman. That clears my confusion :+1:

1 Like
#4

No problem :slight_smile: