Skip to content

FxA Scopes

Jump to bottom Edit New page
Rémy HUBSCHER edited this page Jun 27, 2016 · 1 revision

Blueprint for Firefox Account Scopes

Goal: Let user delegate some of their permissions to a Bearer token.

Authentication vs Authorization

One of the most difficult thing to grasp in software development is the difference between Authentication and Authorization:

  • Authentication: Verify who the connected person is.
  • Authorization: Verify what the connected person can do.

In the case of Kinto this is very important because you can store plenty of information in a Kinto server for multiple usages and you do not necessarily want Application A to access or being allowed to modify data from Application B.

User story

  • When I log into my Contact application I want to be able to manage (CRUD) my contacts
  • When I log into my task application, I want to be able to manage (CRUD) my task, I also want to link a contact to a task but in any case I want to allow my Task application to Create/Update/Delete my contacts.

OAuth to the rescue

Hopefully, the OAuth flow have been built with that use case in mind. And it is possible to define a list of scopes for a given Bearer Token.

Using scopes it is possible to create a Bearer Token valid for the Kinto service only and giving permissions on a given collection or bucket.

Examples

  • kinto:/buckets/default/collections/contact:write: Would restrain the application to have at most the write permission on the contacts collection of the user default bucket.
  • kinto:/buckets/gallery: Would restrain the application to have at most read permission on all resources of the gallery bucket.
  • kinto:/buckets/staging:write is the correct way to give the application all the user permissions on the staging bucket.
  • kinto: Alone this scope will give the user permissions to the application for backward compatibility.

Rules

  • Structure: server_scope_name:resource_root[:permission]
  • If the permission is omitted the read permission will be given.
  • It is possible to add multiple scopes: kinto:/buckets/tasks:write kinto:/buckets/contacts:read

Warnings

Keep in mind that the scope is a mask that restrain the user permissions but doesn't give user permissions.

  • We need to make sure that one user is not given more authorization than they have the permission to.

Join us on irc.freenode.net #kinto or on our Slack Workspace for more info.

Add a custom sidebar
Clone this wiki locally