Question posted in 
I want to set up a OAuth 2.0 flow in my code.
I want my code, to be limited to specific scopes (even if someone accidentally writes some extra code to request additional ones).
Let’s assume I want my code to be able to only access photos in facebook.
Is the only place to restrict the scope during the request to the authorisation server, e.g.
https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
&redirect_uri=REDIRECT_URI&scope=email&state=1234zyx
Or is there a way to enforce this restriction when issuing client_id and client_secret so that the following request will eventually fail?
https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
&redirect_uri=REDIRECT_URI&scope=email,posts&state=1234zyx
My use case is for google APIs btw.
2
Answers
Not enough details provided to know what you are trying to accomplish; But generally:
(Could be end user "consent screen" or Google if using APIs) may NOT delegate some or all requested scopes.
requested scopes for many reasons.
When first implementing an OAuth flow in GCP, I conflated GCP authorization with Google API authorization, and the mechanisms used to orchestrate them.
First off, let’s define Authentication and Authentication:
Authentication
GCP offers a variety of authentication flows, which are found in the IAM console. In your example, you may be looking at using:
Additionally, GCP offers things like
Authorization (of Google APIs)
Authorization is notably a 2-stage process that verifies an authenticated Identity, and inspects authorization metadata (such as scopes in a JWT or information included in an "Access Policy"). This combination is used to determine if access should be granted to a specific Identity. Authorization in GCP is different when we’re talking about Google APIs and GCP resources.
Examples of IAM Grants
Service Account Impersonation requires an authorization relationship between the User account and the Service Account using IAM allowing the user to Impersonate the Service Account (similar to assuming roles in AWS).
If an Identity is going to request API scopes, it will need authorization to access the Authorization server and request JWTs. This (confusingly in my opinion) also happens in IAM. If the Identity were a Service Account, it would need to be granted the
iam.serviceAccounts.getAccessTokenrole in IAM.Examples of OAuth Scope Grants
Assuming our Identity has the appropriate authorization to request a token, it can request specific functionality offered by the Google API by including OAuth scopes in the request. The authorization server will then generate a token with those scopes, and that token will be linked to the unique identity of the requester.
It’s important to note that a scope only defines the scope of functionality in these systems. That does NOT imply that a given Identity is Authorized to access the scope’s functionality. In most Google APIs, Authorization happens at the Google API layer. Let’s look at an example:
Some scopes however, such as
https://www.googleapis.com/auth/spreadsheetsexpose sensitive data and are by default enabled at the Google APIs layer. If these scopes are requested, the requesting Identity would in fact have access to the functionality defined by them without restriction.I believe this is where your question comes in 🙂
Attempting to answer the question
If you’re trying to prevent other developers within your organization from requesting a token that uses a certain scope that is enabled by default at the Google APIs layer, you will need to prevent the Identity from accessing that scope. This can be done a couple ways:
Ultimately, my interpretation is that Google puts the responsibility in the developer’s hands to request the correct scopes, and to restrict further authorization at the application level when calling their APIs. If you want to prevent an Identity from calling specific scopes, you have some degree of control over that in the Admin Console of the Workspace Account for your Google Users included in your Workspace.