What Is Scope In Oauth2 Authentication Example Using Postman

Understanding Scope in OAuth 2.0 Authentication: A Practical Guide with Postman

OAuth 2.0 is a popular authorization framework used to delegate access to protected resources. In this guide, we’ll explore the concept of scope within OAuth 2.0 and illustrate its application through practical examples using Postman.

What is Scope in OAuth 2.0?

Scope defines the level of access a client application requests from a user’s account. It’s essentially a list of permissions that the client application is authorized to perform on the user’s behalf.

Imagine you’re using a social media app that lets you share your photos on a different platform. To do this, the app needs to access your photo library. The scope in this scenario would be “read access to photos”. Similarly, a financial app might request “read access to transaction history” to display your recent transactions.

Why is Scope Important?

• Security: Scope limits what data the client application can access. This helps minimize the risk of unauthorized data exposure.
• Privacy: Users have greater control over their data by specifying the permissions they grant.
• Flexibility: Scope enables different levels of access for different clients or for different use cases.

Using Scope in Postman: A Step-by-Step Example

Let’s demonstrate how scope works using a popular open-source API – GitHub API.

1. Setting up the OAuth 2.0 Flow in Postman

• Go to the Postman App: Open Postman, and create a new request.
• Select the “Authorization” tab: Choose “OAuth 2.0”.
• Configure the OAuth 2.0 Flow:
  • Grant Type: Choose “Authorization Code”.
  • Token URL: https://github.com/login/oauth/access_token
  • Authorization URL: https://github.com/login/oauth/authorize
  • Client ID and Secret: Obtain these from your GitHub Developer Settings page.
  • Scope (optional): We will discuss scope later in this example.
  • Redirect URI: This is the URL GitHub will redirect to after the authorization process. You can use https://example.com/ or http://localhost.

2. Specifying the Scope

• Define the Scope: In the “OAuth 2.0” tab, add your desired scope in the “Scope” field.
  • Example:

    user:email, repo

3. Defining the Scope’s Meaning:

• Github’s Supported Scopes:
  • user:email: Grants access to the user’s email address.
  • repo: Grants access to public and private repositories.

4. Making a Secured Request:

• Construct your API request: Create a GET request to https://api.github.com/user for example.
• Send the Request: Postman will automatically send the Authorization header with the access token obtained using the configured OAuth 2.0 flow and the defined scope.

5. Verifying Scope Access:

• Check the Response: In the response, you’ll see information related to the user, such as their username and email address. If you requested user:email scope, the response should contain their email. If you requested repo scope, you will be able to access the user’s repos using other API endpoints.

Example Code:

// Request body
{
    "grant_type": "authorization_code",
    "code": "{{code}}",
    "client_id": "{{client_id}}",
    "client_secret": "{{client_secret}}",
    "redirect_uri": "{{redirect_uri}}"
}

// Response body
{
  "access_token": "ghp_your_access_token",   // This is the access token
  "token_type": "bearer",                  // Token type
  "scope": "user:email, repo"              //  This is the scope provided
}

Scope vs. Permissions

While “scope” and “permissions” are often used interchangeably, there’s a subtle difference. Scope defines the type of access, while permissions are granted within a particular scope. For example, the “repo” scope grants access to a user’s repositories, but you might also have the permission to “delete repository” within the “repo” scope.

Conclusion

Understanding the concept of scope is essential for securing your APIs and managing user privacy. This guide provides a practical walkthrough of how to use scope in your OAuth 2.0 authentication workflow using Postman.