OAuth 2.0 remember authorization grant

314 views Asked by At

This example by Microsoft describes implementing an OAuth 2.0 Authorization server. I'm implementing the Authorization Code Grant flow. In the downloaded sample code, the /authorize endpoint asks the user every time to grant permission when logging in. As users want to grant permission only once at the first time login, should I persist it myself for each user or has OAuth support for this by default?

What's the best practice in this scenario?

Thanks in advance.

1

There are 1 answers

0
Takahiko Kawasaki On BEST ANSWER

The OAuth 2.0 specification itself does not mention anything about the feature. Therefore, if the implementation of the authorization server you are using does not have the feature, you yourself have to implement it.

To achieve the feature, you need to store information about "who (user) has granted what permissions (scopes) to whom (client application)" for each combination of user and client application. In addition, probably you will want to keep the information even after all access tokens issued to each combination have expired in order to avoid asking the user again.

If I were you, I would add an internal API to the authorization server. The API would receive a user ID and a client ID and return a list of scopes which have been granted by the user to the client application in the past. If there were such an API, you would be able to use it when you generate an authorization page.


FYI:

"Granted Scopes API" of Authlete is an example. /api/client/granted_scopes/get API accepts subject and clientId request parameters and returns a JSON like below.

{
    "serviceApiKey"       : <Service API Key>,
    "clientId"            : <Client ID>,
    "subject"             : <User's Unique ID>,
    "latestGrantedScopes" : <Scopes granted by the last authorization process>,
    "mergedGrantedScopes" : <All the scopes granted so far>,
}

/api/client/granted_scopes/delete API accepts subject and clientId request parameters and deletes the remembered record if any.

Note that Granted Scopes API works only on dedicated Authlete servers. It does not work on the shared Authlete server (api.authlete.com). It's because garbage records may accumulate if API callers don't call /api/client/granted_scopes/delete API as necessary, and such garbage records waste the shared storage.