Custom OpenID Connect scopes

17 May 2013

OpenID Connect uses OAuth 2.0 access tokens to allow client apps to retrieve information about the signed-in user from the server. We recently received a question whether these access tokens can be used to access other protected HTTP resources / web APIs.

The answer is yes!

The OpenID Connect provider is technically an OAuth 2.0 authorisation server, and the spec explicitly states that the server may support scope values other than the standard ones (openid, email, profile, phone and address).

Here is an example scope for pure OpenID use only:

openid profile email

And this is a scope with additional values meant for a third-party web API:

openid profile email payroll:disburse payroll:settle

Example scenarios:

A user from the accounting department who logs in with OpenID Connect to the payroll application may be granted access to specific payment APIs.
A user from the IT support department who logs in with OpenID Connect to an admin dashboard app may be granted access to specific server management APIs.
A user from the legal department who logs in with OpenID Connect to a documentation system may be granted access to specific confidential documents.

The access scope that is granted to a particular user is determined during the OAuth 2.0 / OpenID Connect authorisation step. The scope to grant can be determined by explicit consent and / or by looking up specific user / client app permissions (e.g. user membership of an LDAP group). Our Connect2id server provides an integration API that allows issue of access tokens with arbitrary scopes and based on any type of input.

The application can validate the access token and get its matching authorisation in two ways:

By making a RESTful query to the Connect2id server;
Be decoding the access token (which is a JWT), verifying its signature, and extracting its scope values.

Feel free to speak to us should you have questions about implementing custom scopes for third-party web APIs in OpenID Connect.