- Issue created by @kingdutch
Within the simple_oauth module we defined the concept of a scope hierarchy. This allows a client to request or receive a few high level scopes in case it needs a lot of access. For example I may have a user, user:list, and user:write scope where user is the parent of both user:list and user:write. This allows a system to request user rather than the individual child scopes.
In graphql_oauth if a field is protected by a specific child scope such as user:list then access is denied to an application that has a parent scope (i.e. user) but didn't explicitly request the child scope. The expected outcome would be that access to the field is allowed.
We currently map all scopes for the token which does not take into account the hierarchy. We could instead query the simple_oauth module for the hierarchy and include all the scopes in the hierarchy in $token_scopes but this might be implementation dependent.
Instead it's probably better if we can ask the token whether it satisfies a specific scope and let the simple_oauth module handle that (taking care of the parent-child relationship for us), rather than performing an array intersection ourselves.
Active
1.0
Code