I am working on configuring access controls for clients and users. I decided to segregate it into fine-grained “scopes”, where each scope corresponds to a microservice and the allowed access (e.g. “account-service:create”, “rate-service:read”), where each microservice would typically have at least 4 scopes (for CRUD actions).
Expected Behavior:
- I can create scopes and group them. For example, “account-service” scope group for multiple scopes (e.g. “account-service:create”, “account-service:read”).
- These scope groups can then be applied to individual or composite roles (manually, or by default). For example, the “admin” role would have the “account-service” scope by default.
- There could still be extra scopes manually granted to clients and users.
- For 3rd party resource access, you can specify the scopes that you want to have, and it would display as user consent (this might be different from the scope that the token has for accessing its own data).
I believe that this achieves fine-grained access for scopes, and keeps roles as a higher-level control option.
I am happy to get feedback on if this is being implemented soon, or a potential workaround currently available.