feature request: application specific scope restrictions #216
Description
I've been working on this myself, as it's a need for a project I'm working on, but here is a formal issue for discussion of the ideal implementation (mine is a bit hacked together), etc.
What is the request:
django-oauth-toolkit offers the ability to create custom scopes, but does not have a way to restrict each application to a separate subset of scopes.
the need may arise (as it has in my case) to not give all applications access to all scopes - some scopes may be restricted to more trusted applications/individuals. For example, you may want to grant all applications a "read_basic_details" scope, but only trusted applications should be able to use the "read_full_details" scope.
Suggested course of action:
My implementation adds an allowed_scopes field to the application model. Just like in the OAuth spec, the scopes are listed as space-separated strings. When an access token is requested, the user is only given the option to request the scopes present in allowed_scopes -- this allows any application to be restricted only to specific scopes.
My pull request, to my own fork, is here:
TODO:
- My code is probably suboptimal, and should be reviewed and perhaps redone.
- It stands to reason that if the site owner wants to restrict scopes, then application owners should not be able to edit the allowed_scopes field. I've not implemented this, as I'm just using waffle tags to only allow site administrators access to create or view the listing of applications for now. Ideally, to keep django-oauth-toolkit as an all in one / turnkey solution, this problem might be best addressed within the package itself.
Thanks for your consideration and review!