<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: oleg makhlov</title>
    <description>The latest articles on DEV Community by oleg makhlov (@oleg_ivanov_a662b77fe36b2).</description>
    <link>https://dev.to/oleg_ivanov_a662b77fe36b2</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3842634%2F1ac1db04-a651-4139-b2cf-16292a66c62e.png</url>
      <title>DEV Community: oleg makhlov</title>
      <link>https://dev.to/oleg_ivanov_a662b77fe36b2</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/oleg_ivanov_a662b77fe36b2"/>
    <language>en</language>
    <item>
      <title>Manual vs Generated OAuth Scopes: Lessons Learned While Building an Identity Platform</title>
      <dc:creator>oleg makhlov</dc:creator>
      <pubDate>Sat, 18 Jul 2026 13:42:23 +0000</pubDate>
      <link>https://dev.to/oleg_ivanov_a662b77fe36b2/manual-vs-generated-oauth-scopes-lessons-learned-while-building-an-identity-platform-314h</link>
      <guid>https://dev.to/oleg_ivanov_a662b77fe36b2/manual-vs-generated-oauth-scopes-lessons-learned-while-building-an-identity-platform-314h</guid>
      <description>&lt;p&gt;OAuth scopes have been part of authorization systems for years, and almost every identity provider manages them as independent objects.&lt;/p&gt;

&lt;p&gt;For small applications, this approach works perfectly.&lt;/p&gt;

&lt;p&gt;However, after working on enterprise applications and identity systems for many years, I kept encountering the same problem: as the number of APIs, OAuth clients, and permissions grows, maintaining OAuth configuration gradually becomes more difficult than implementing the authorization logic itself.&lt;/p&gt;

&lt;p&gt;This made me wonder:&lt;/p&gt;

&lt;p&gt;&lt;em&gt;&lt;strong&gt;Should OAuth scopes really be managed manually, or are they simply another artifact that can be generated from the authorization model?&lt;/strong&gt;&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;To answer that question, I decided to experiment with a different approach while building my own identity platform.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Manual Scope Management&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Most identity providers treat scopes as standalone entities.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;p&gt;orders.read&lt;br&gt;
orders.write&lt;/p&gt;

&lt;p&gt;users.read&lt;br&gt;
users.write&lt;/p&gt;

&lt;p&gt;reports.generate&lt;/p&gt;

&lt;p&gt;Each scope is created manually, assigned to clients, documented, and maintained throughout the lifetime of the application.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Advantages&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The biggest advantage is simplicity.&lt;/p&gt;

&lt;p&gt;Need another permission?&lt;/p&gt;

&lt;p&gt;Just create another scope.&lt;/p&gt;

&lt;p&gt;Manual management also provides complete flexibility. Developers are free to define any naming convention and create scopes that don't necessarily correspond to a particular API or resource.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;p&gt;legacy.export&lt;/p&gt;

&lt;p&gt;partner.sync&lt;/p&gt;

&lt;p&gt;crm.admin&lt;/p&gt;

&lt;p&gt;This model also works extremely well for small systems.&lt;/p&gt;

&lt;p&gt;If an application has only a few APIs and a limited number of OAuth clients, manually maintaining twenty or thirty scopes is neither difficult nor time-consuming.&lt;/p&gt;

&lt;p&gt;Finally, this is the model developers already know. Nearly every OAuth provider follows it, making it familiar and easy to understand.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Disadvantages&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The disadvantages usually appear much later.&lt;/p&gt;

&lt;p&gt;As systems evolve, scopes gradually become disconnected from the APIs they were originally created for.&lt;/p&gt;

&lt;p&gt;An API may be removed while its scopes remain.&lt;/p&gt;

&lt;p&gt;Different teams introduce different naming conventions.&lt;/p&gt;

&lt;p&gt;Duplicate scopes appear.&lt;/p&gt;

&lt;p&gt;Some scopes are no longer assigned to any client but continue to exist.&lt;/p&gt;

&lt;p&gt;Adding a new API often requires several manual steps:&lt;/p&gt;

&lt;p&gt;creating scopes;&lt;br&gt;
assigning them to clients;&lt;br&gt;
updating documentation;&lt;br&gt;
verifying permissions.&lt;/p&gt;

&lt;p&gt;Eventually, even simple questions become difficult to answer.&lt;/p&gt;

&lt;p&gt;Why does this scope exist?&lt;/p&gt;

&lt;p&gt;Which API owns it?&lt;/p&gt;

&lt;p&gt;Is it still being used?&lt;/p&gt;

&lt;p&gt;Can it be safely removed?&lt;/p&gt;

&lt;p&gt;Over time, the identity server configuration gradually stops reflecting the actual system.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Generated Scope Management&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;While designing my identity platform, I wanted to try a different model.&lt;/p&gt;

&lt;p&gt;Instead of treating scopes as primary objects, I made them a result of the authorization model.&lt;/p&gt;

&lt;p&gt;The idea is simple:&lt;/p&gt;

&lt;p&gt;Resource&lt;br&gt;
      ↓&lt;br&gt;
Permissions&lt;br&gt;
      ↓&lt;br&gt;
Generated OAuth Scopes&lt;/p&gt;

&lt;p&gt;For example, defining a resource called Orders with two permissions:&lt;/p&gt;

&lt;p&gt;Read&lt;br&gt;
Write&lt;/p&gt;

&lt;p&gt;automatically produces:&lt;/p&gt;

&lt;p&gt;orders.read&lt;br&gt;
orders.write&lt;/p&gt;

&lt;p&gt;Scopes are no longer managed directly.&lt;/p&gt;

&lt;p&gt;They are generated from the authorization model.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Advantages&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The biggest benefit is having a single source of truth.&lt;/p&gt;

&lt;p&gt;Instead of maintaining resources, permissions, and scopes independently, only the authorization model needs to be maintained.&lt;/p&gt;

&lt;p&gt;Removing a resource automatically removes its generated scopes.&lt;/p&gt;

&lt;p&gt;Naming conventions become consistent across the system.&lt;/p&gt;

&lt;p&gt;Auditing becomes easier because every generated scope has a clear origin.&lt;/p&gt;

&lt;p&gt;Adding a new API no longer requires manually creating every scope.&lt;/p&gt;

&lt;p&gt;As the system grows, configuration becomes easier to maintain because resources, permissions, and scopes remain synchronized automatically.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Disadvantages&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This approach also has trade-offs.&lt;/p&gt;

&lt;p&gt;The authorization model becomes more sophisticated.&lt;/p&gt;

&lt;p&gt;Developers need to understand how scopes are generated instead of simply creating them.&lt;/p&gt;

&lt;p&gt;Not every scope naturally belongs to a resource.&lt;/p&gt;

&lt;p&gt;Standard OAuth and OpenID Connect scopes such as:&lt;/p&gt;

&lt;p&gt;openid&lt;br&gt;
profile&lt;br&gt;
email&lt;br&gt;
offline_access&lt;/p&gt;

&lt;p&gt;still need to exist independently.&lt;/p&gt;

&lt;p&gt;Migration from an existing manually managed system can also be challenging.&lt;/p&gt;

&lt;p&gt;Finally, generated scopes reduce flexibility.&lt;/p&gt;

&lt;p&gt;If a project requires completely arbitrary scopes, the generation model must explicitly support them.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Which Approach Is Better?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;I don't think there is a universally correct answer.&lt;/p&gt;

&lt;p&gt;For small applications, manual scope management is simple, explicit, and probably the right solution.&lt;/p&gt;

&lt;p&gt;For larger systems involving dozens of APIs, hundreds of clients, and multiple development teams, maintaining OAuth configuration eventually becomes a problem of its own.&lt;/p&gt;

&lt;p&gt;That's where generating scopes from the authorization model starts to make sense.&lt;/p&gt;

&lt;p&gt;It reduces repetitive configuration, keeps resources and scopes synchronized, and makes the system easier to maintain over time.&lt;/p&gt;

&lt;p&gt;This idea became one of the architectural decisions behind my identity platform, &lt;strong&gt;SolNeat Identity.&lt;/strong&gt; I built it to explore whether this approach works well in practice, not because I believe manual scope management is wrong, but because I repeatedly encountered the same maintenance problems in growing systems.&lt;/p&gt;

&lt;p&gt;I'm interested in hearing how others approach this challenge.&lt;/p&gt;

&lt;p&gt;Do you manage OAuth scopes manually?&lt;br&gt;
Have you experimented with generating them from resources or permissions?&lt;br&gt;
At what point, if ever, did manual scope management become difficult?&lt;/p&gt;

&lt;p&gt;If you're interested in the implementation, you can find the project at &lt;strong&gt;&lt;a href="https://id.solneat.com" rel="noopener noreferrer"&gt;https://id.solneat.com&lt;/a&gt;.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;I'm looking forward to your feedback and discussion.&lt;/p&gt;

</description>
      <category>automation</category>
      <category>webdev</category>
      <category>oauth</category>
    </item>
  </channel>
</rss>
