Introducing Structured Scopes

2 points

8 years ago

About a year ago I was working on an API and needed to provide some scopes to my JWT. To my surprise, there was no real standard way to define and implement scoping. I did some research and every implementation I found was somewhat different and specific to an individual use case.

Looking at RFC 6749 (https://tools.ietf.org/html/rfc6749#section-3.3) re; OAuth, I found the requirements to be fairly loose. I needed something more ordered, and ... well, structered.

Hence, I introduce Structured Scopes, a specification on how scopes can be defined and accepted regardless of the platform or implementation. The specification is on GitHub (https://github.com/ahopkins/structured-scopes).

I have been working on this for quite a while now, and its earliest implementation was inside one of my python open source projects Sanic JWT (https://github.com/ahopkins/sanic-jwt/blob/dev/sanic_jwt/validators.py). However, the idea is broad enough to be implemented in any language. And, in fact I do not believe that its usage is limited to web development alone, although that is its intended target.

A real short overview is that a scope is made up of 2 parts: namespace and action(s).

A base scope is matched by any inbound scope bearing the same namespace, and (if defined) the same actions.

Perhaps a few examples will illustrate the idea:

| Base scope | Inbound scope | Expected outcome |

|user|something|fail|

|user|user|pass|

|user|user:read|fail|

|user:read|user|pass|

The specification has a lot more examples, or you can see the tests on my Python repo (https://github.com/ahopkins/sscopes-python/tree/master/tests).

Please let me know your thoughts. I will be releasing a python implementation (https://github.com/ahopkins/sscopes-python) in the coming days to PyPI, and will begin working on some in other languages as well.