REST API scope troubleshooting
-
- UpdatedAug 1, 2024
- 3 minutes to read
- Xanadu
- Platform Security
Troubleshooting actions can help resolve common issues when setting up or running the REST API scope.
Frequently asked questions
Following are some of the frequently asked question when using the REST API Auth scope:
- Can one OAuth token be linked with several auth scopes?
- Yes, one
oauth_entity
can be linked with multiple auth scopes, every OAuth token issued by thisoauth_entity
has the same auth scopes. - Can different OAuth tokens with different auth scopes access the same REST API?
- Yes, for the same REST API, it may be accessed by different auth scopes. As long as one auth scope is matched, the auth scope returns the results.
- Can OAuth access token with
useraccount
auth scope access any REST APIs? - Yes, the
useraccount
has full access to auth scope. - Can OAuth access token OAuth scope be changed dynamically?
- Yes, the auth scoped is not hard-coded with the access token in the
oauth_credential
table. Instead auth scope is getting from linkedoauth_entity
during runtime. - Can OAuth token keep same auth scopes after refresh?
- Yes, auth scope will not change after token refresh, unless
oauth_admin
modify auth scope linked withoauth_entity
. - Pre-defined
useraccount
auth scope record is deleted, can a new auth scope with nameuseraccount
be created? - Creating a new auth scope with the same
useraccount
doesn't work. In the runtime, it uses thesys_id
instead of name to do the auth scope check, modify the system property glide.oauth.token.scope.useraccount to the newly createdsys_id
record. - If admin modify auth scoped linked with
oauth_entity
, are all the existing OAuth access token issued by this OAuth entity changed also? - Yes, the auth scope is not directly linked with the OAuth access token, it is getting from
oauth_entity
during runtime. - Can different OAuth access tokens issued by the same
oauth_entity
have different auth scopes? - No, all access to the token is issued by the same
oauth_entity
and always have the same auth scopes. - Can a user define different auth scopes for a particular endpoint?
- No, there is a unique constrain check for a particular REST API endpoint. However for the same REST API endpoint, it may have more than one matched auth scopes.
- Is the auth scope check used for BasicAuth also?
- No, auth scope check is only OAuth access token and OIDC token, it is not applied for basicAuth and mutualAuth