Custom scopes with oauth

[badaz]

OAuth Custom scopes

Problem

I want to use custom scopes when using OAuth grants for use by 1st or 3rd party applications.

Solution

Define supported scopes by application. Allow requesting these scopes using the scope parameter when calling /token

The following are in scope for this feature:

• Create a FusionAuth application and designate it as a 3rd party application.
• Custom scopes can be created for 1st or 3rd party applications
• New APIs to CRUD on application OAuth scopes
• Scopes can be optional or required
• A 3rd party application must prompt a user for consent for the request scopes
• A 3rd party application can optionally disable the prompt through a configured policy.
• Optional scopes can be opted out by the end user during consent (prompt)
• The user may optionally not be prompted once consent has been provided while scopes have not changed. This will be enabled or disabled via application policy
• Userinfo and Introspect endpoints to allow claims to be modified based upon requested scopes.
• Allow access to requested scopes in the JWT populate lambda so you have the option to control claims in id_token based upon requested scopes.

Areas for future enhancement:

• Allow the Search API to filter applications by 1st or 3rd party.
• Allow consent to tracked using the FusionAuth Consent API. This would allow consents to be persisted, modified or revoked.

Related

• I want to allow third party apps to access my users data via oAuth, is FusianAuth good for this? #218
• Feature : Requesting claims using the claims request parameter #308
• Grant Prompt Screen in OAuth Login Workflow #411
• Add locale and timezone information to the oauth userinfo endpoint #659
• Ability to remove PII from api (/oauth2/userinfo, /api/user) #1475
• /oauth2/userinfo should not be dependent on the claims in token #1582
• Support refreshing an access token with narrower scope #2590
• [Bug]: userinfo endpoint returns outdated roles #2640

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[badaz]

I found the answer here :
#218
Custom scopes are not supported, yet I'd prefer using only one piece of software to do both things, maybe I'm wrong, but it seems like fusionauth plans on implementing it someday, will it be in a near future?

[robotdan]

Thanks for the question @badaz.

This is on the roadmap for sure, hard to say when we'll get to it. We do a lot of pro-serve and paid support contracts, so that work takes priority.

Feel free to use the contact us form on fusionauth.io if you want to discuss expediting this work for your project.

[DeviPrasad]

I've been using FusionAuth for more than a month now. Wish to thank you for this fabulous product!

I have a question. May I know when the support for custom scopes might be available?

Thank you much!

[mooreds]

@DeviPrasad Thanks for using FusionAuth, and I'm glad you find it helpful!

I'm afraid we don't have a firm date for this work being done.

As @robotdan mentions, if you need this, we're happy to discuss a professional services agreement to get this built out on a definite timeline.

Here's our general roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap/ which may be helpful to you in your future planning.

[jsommr]

Every call to our API endpoints are charged. Giving administrators and developers at the customer side the possibility to limit what endpoints can be called via scopes, so other developers won't call endpoints that shouldn't be called in a particular application, that would be a good way to help customers not accidentally call endpoints in one application, that should be called elsewhere.

[mooreds]

Thanks for sharing your use case, @nerfpops, really appreciate it. It's always great to hear how people are using FusionAuth to solve their auth problems. Please make sure you vote up this issue if you haven't already.

Also, please contact us if you'd like to discuss a professional services agreement to get this feature implemented on a firm timeline.

[dystopiandev]

@mooreds @robotdan has anything changed in the timeline to favour this yet?

[mooreds]

@dystopiandev sorry, no changes in when this will be delivered.

Still something we plan to support in the future, but haven't committed to a timeframe.

[pmolaro]

My company is very interested in having this feature as well. We are migrating a system with over 100 mil users over to FusionAuth and scopes is a big feature we need. Do we have any options? Are there any custom JS examples of a way we could add something that resembles scopes?

[mooreds]

@pmolaro if you are interested in paying to have this feature built on a defined schedule, you can contact our sales department and we can give you a professional services estimate: https://fusionauth.io/contact/

For a production deployment that size you should also consider FusionAuth enterprise support: https://fusionauth.io/pricing/editions/ Sometimes as part of a custom enterprise contract, additional features are delivered.

[sandromastronardi]

Too bad this doesn't exist, I'll have to stick to auth0 for this then... I am interested in considering a switch, but not without scopes.

[robotdan]

Let's review this issue in context of any changes we are making for this feature.

• [Bug]: userinfo endpoint returns outdated roles #2640 (comment)

[spwitt]

Internal

• https://github.com/FusionAuth/fusionauth-app/pull/400

[andrewpai]

Scheduled for delivery in 1.50.0.