I'm currently learning about SpringBoots OAuth2.0 implementation and I came across the following tutorial: http://www.tinmegali.com/en/2017/06/25/oauth2-using-spring/.
It contains this piece of code:
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("trusted-app")
.authorizedGrantTypes("client_credentials", "password", "refresh_token")
.authorities("ROLE_TRUSTED_CLIENT")
.scopes("read", "write")
.resourceIds(resourceId)
.accessTokenValiditySeconds(accessTokenValiditySeconds)
.refreshTokenValiditySeconds(refreshTokenValiditySeconds)
.secret("secret");
}
I have looked all over the internet for documentation on the scopes function, but I simply cannot find what it does, including on the official SpringBoot API reference. All I can say for certain is it takes multiple string parameters.
What exactly does the scopes() function do in the snippet above? What is the practical difference in passing in ("read", "write") vs passing in "all" or something totally arbitrary like "donkey"?
As per my understanding it is the socope of your clinet. While creating instance of BaseClinetDetails.java you can set the any scope for your clinet and when authenticating you can use method isScoped() to check if any scope was provided. If not then then scope of the request will be ignored.
If isScoped() returns true you can use getScope() method to get all the scopes and take a decision if authentication request is your predefined scope or not.
Though documentation is not clear, I tried setting random string and it did not stopped the world.