+1. We can do this at OAuth2AccessTokenHandler without any cost since scopes are anyway returned as a result of oauth2 token validation. Hence doing this validation again in application level to just to retrieve scopes is a cost.
Please make sure to use an oauth specific name for this parameter so that anybody who consumes the authentication result knows that this is something related to oauth authentication. ex - oauth2.scopes On Wed, Feb 21, 2018 at 12:38 PM, Dewni Weeraman <[email protected]> wrote: > > Hi All, > > I'm currently working on implementing protection API endpoints for UMA 2.0 > . To access the protection API endpoints it is a must to have a valid PAT > (Protection API Access Token) in the request. PAT represents the > authorization of the resource owner for the resource server to use the > authorization server for protecting resources. > > I have used the existing REST authentication valve available at [1] to > filter out the required values. I have a requirement to check if the token > has the scope as uma_protection. The issue is that the current valve > implementation doesn't have a way to obtain the scope. I have to add > another parameter at [2] to obtain the scope to proceed with the > authentication. > > Please provide your thoughts on this. > > [1] https://github.com/wso2-extensions/identity-carbon-auth-rest > [2] https://github.com/wso2-extensions/identity-carbon- > auth-rest/blob/master/components/org.wso2.carbon. > identity.auth.service/src/main/java/org/wso2/carbon/ > identity/auth/service/handler/impl/OAuth2AccessTokenHandler.java#L95 > > Thanks > -- > *Dewni Weeraman* > Trainee Software Engineer | WSO2 > > Email: [email protected] > Mobile: +94772979049 <077%20297%209049> > Web: http://wso2.com/ > > > > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
