OAuth Custom scopes

Problem

I want to use custom scopes when using OAuth grants for use by 1st or 3rd party applications.

Solution

Define supported scopes by application. Allow requesting these scopes using the scope parameter when calling /token

The following are in scope for this feature:

• Create a FusionAuth application and designate it as a 3rd party application.
• Custom scopes can be created for 1st or 3rd party applications
• New APIs to CRUD on application OAuth scopes
• Scopes can be optional or required
• A 3rd party application must prompt a user for consent for the request scopes
• A 3rd party application can optionally disable the prompt through a configured policy.
• Optional scopes can be opted out by the end user during consent (prompt)
• The user may optionally not be prompted once consent has been provided while scopes have not changed. This will be enabled or disabled via application policy
• Userinfo and Introspect endpoints to allow claims to be modified based upon requested scopes.
• Allow access to requested scopes in the JWT populate lambda so you have the option to control claims in id_token based upon requested scopes.

Areas for future enhancement:

• Allow the Search API to filter applications by 1st or 3rd party.
• Allow consent to tracked using the FusionAuth Consent API. This would allow consents to be persisted, modified or revoked.

Related

• I want to allow third party apps to access my users data via oAuth, is FusianAuth good for this? #218
• Feature : Requesting claims using the claims request parameter #308
• Grant Prompt Screen in OAuth Login Workflow #411
• Add locale and timezone information to the oauth userinfo endpoint #659
• Ability to remove PII from api (/oauth2/userinfo, /api/user) #1475
• /oauth2/userinfo should not be dependent on the claims in token #1582
• Support refreshing an access token with narrower scope #2590
• [Bug]: userinfo endpoint returns outdated roles #2640

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.