When using Golang's Oauth2 library:
https://godoc.org/golang.org/x/oauth2#Token
I exchange the authorisation code for access token and I get back this struct:
type Token struct {
// AccessToken is the token that authorizes and authenticates
// the requests.
AccessToken string `json:"access_token"`
// TokenType is the type of token.
// The Type method returns either this or "Bearer", the default.
TokenType string `json:"token_type,omitempty"`
// RefreshToken is a token that's used by the application
// (as opposed to the user) to refresh the access token
// if it expires.
RefreshToken string `json:"refresh_token,omitempty"`
// Expiry is the optional expiration time of the access token.
//
// If zero, TokenSource implementations will reuse the same
// token forever and RefreshToken or equivalent
// mechanisms for that TokenSource will not be used.
Expiry time.Time `json:"expiry,omitempty"`
// contains filtered or unexported fields
}
Now when I am using this access token in my application, I need to know the scope for which the token was granted.
But I don't see any property or method to get the scope?
How to get the token's scope so I can limit user's permissions based on it?
I can see that the Config struct has Scopes slice:
type Config struct {
// ClientID is the application's ID.
ClientID string
// ClientSecret is the application's secret.
ClientSecret string
// Endpoint contains the resource server's token endpoint
// URLs. These are constants specific to each server and are
// often available via site-specific packages, such as
// google.Endpoint or github.Endpoint.
Endpoint Endpoint
// RedirectURL is the URL to redirect users going through
// the OAuth flow, after the resource owner's URLs.
RedirectURL string
// Scope specifies optional requested permissions.
Scopes []string
}
It seems to me there is no way to get scope from a token though?
Surely the point of scope is that it should be part of the access token in order to validate permissions?
See the spec: https://tools.ietf.org/html/rfc6749#page-23