DEV Community

Discussion on: Explaining how OAuth works with Spotify as an example

temmyraharjo profile image

Because what I think when we put scope in OAuth. It means that everytime we define scope: create_user, read_user, update_user, delete_user (let's say we have big module). We need to retrieve from OAuth to process all that information which is not efficient.

I always thinking that OAuth only need to be use for getting the token and refresh token. While security role is defined in the application it self to process the business logi..

Thread Thread
phlash profile image
Phil Ashby

As usual - it depends :)

In our case, we have a need to share roles across a number of endpoints / APIs / applications in a single-sign-on environment. These roles are managed centrally through OAuth tokens. What the roles /mean/ when a specific application or endpoint receives them is defined locally (as I described in the example above).

If you have a single application, and it already has local permissions / role management capability, then you have little need to move that elsewhere. Indeed your driver for using OAuth is likely different too, typically such applications need to accept identity assertions from other environments such as Google or Facebook, whereas we are building an SSO platform for ourselves... YMMV!