|
|
|
|
|
|
by SgtBastard
2313 days ago
|
|
|
>sometimes its not the user that authorizes the JWT token holder to perform the action to begin with. Friend, I've read your comments throughout this thread and it is this point where your misunderstanding starts. From the OAuth 2.0 RFC: "Instead of using the resource owner's credentials to access protected resources, the client obtains an access token -- a string denoting a specific scope, lifetime, and other access attributes. Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server." https://tools.ietf.org/html/rfc6749 There is no situation permissable under OAuth 2.0 where an Authorization Server issues access tokens to access resources held by the resource owner, except where the resource owner has given their explicit approval. Nor is there a scenario where a user can even be requested to give permission to a client to have greater access than that client should otherwise have. Scopes allow a resource owner to be granular about what they approve access to. |
|
|