To secure API resources in Ballerina, according to the doc, I can put scope like so if in JWT scope is not listed resource can't be invoked
@http:ResourceConfig {
auth: [
{
jwtValidatorConfig: config,
scopes: ["br_smk_gnt"]
}
]
}
isolated resource function post brewery(...)
{. ...... }
So, related to story, Asgardio scopes are responsible to bring attributes from the user profile. When I create JWT in the request payload I can put any scope, with no limitation (based on my roles or permission). So I miss seeing how the scope brings extra security by restricting which user can call which resource.
OIDC scopes and OAuth2 scopes have a different meaning. OIDC scopes as you have said stands for a collection of user attributes (claims). In contrast, OAuth2 scopes bind roles and permissions. In WSO2 IS, we can add such scopes (to represent permissions) and bind them to roles via a REST API. And then ask for that scope when requesting an access token. Have a look at https://gdrdabarera.medium.com/rbac-role-based-access-control-via-oauth2-0-scopes-with-wso2-identity-server-dd6dcb0b737b for more on this.
However, in above case, the idea is that the ballerina service can validate any claim in the received JWT for authorization purposes. By default name of the claim that is used to validate permissions is
scope. You can configure a different claim by setting the name of the claim asscopeKey. The value of the selected claim should be either astringor astring[].