Search code examples
databaseapiauthorizationoauth-2.0scopes

What are scope values for an OAuth2 server?

I'm facing a difficulty to understand how scopes work.

I found here a small text that describes the scopes of stackexchange api but i need more information on how they work (not specifically this one...). Can someone provide me a concept?

Thanks in advance

Solution

  • To authorize an app you need to call a URL for the OAuth2 authorization process. This URL is "living" in the API's provider documentation. For example Google has this url:

    https://accounts.google.com/o/auth2/auth

    Also you will need to specify a few query parameters with this link:

    • cliend_id
    • redirect_uri
    • scope: The data your application is requesting access to. This is typically specified as a list of space-delimited string, though Facebook uses comma-delimited strings. Valid values for the scope should be included in the API provider documentation. For Gougle Tasks, the scope is https://www.googleapis.com/auth/tasks. If an application also needed access to Google Docs, it would specify a scope value of https://www.googleapis.com/auth/tasks https://docs.google.com/feeds
    • response_type: code for the server-side web application flow, indivating that an authorization code will be returned to the application after the user approves the authorization request.
    • state: A unique value used by your application in order to prevent cross-site request forgery (CSRF) attacks on your implementation. The value should be a random unique string for this particular request, unguessable and kept secret in the client (perhaps in a server-side session)

    // Generate random value for use as the 'state'.  Mitigates
// risk of CSRF attacks when this value is verified against the
// value returned from the OAuth provider with the authorization
// code.
$_SESSION['state'] = rand(0,999999999);

$authorizationUrlBase = 'https://accounts.google.com/o/oauth2/auth';
$redirectUriPath = '/oauth2callback.php';

// For example only.  A valid value for client_id needs to be obtained 
// for your environment from the Google APIs Console at 
// http://code.google.com/apis/console.
$queryParams = array(
  'client_id' => '240195362.apps.googleusercontent.com',
  'redirect_uri' => (isset($_SERVER['HTTPS'])?'https://':'http://') .
                   $_SERVER['HTTP_HOST'] . $redirectUriPath,
  'scope' => 'https://www.googleapis.com/auth/tasks',
  'response_type' => 'code',
  'state' => $_SESSION['state'],
  'approval_prompt' => 'force', // always request user consent
  'access_type' => 'offline' // obtain a refresh token
);

$goToUrl = $authorizationUrlBase . '?' . http_build_query($queryParams);

// Output a webpage directing users to the $goToUrl after 
// they click a "Let's Go" button
include 'access_request_template.php';

    The set of query string parameters supported by the Google Authorization Server for web server applications are here:

    https://developers.google.com/accounts/docs/OAuth2WebServer?hl=el#formingtheurl