Hey when I would like to change the OAuth2 scope strategy fr Ory Community #ory-network

Hey, when I would like to change the OAuth2 scope ...

plain-megabyte-75926

03/24/2025, 8:53 AM

Hey, when I would like to change the OAuth2 scope strategy from

wildcard

hierarchic

with the following CLI (version

1.1.0

) command

ory patch oauth2-config --project <project-id> --replace '/strategies/scope="hierarchic"'

, I'm getting the error

I[#/strategies/scope] S[#/properties/strategies/properties/scope/enum] value must be one of "exact", "wildcard"

. Any ideas why there are only two possible values available? Is there a workaround to overcome this issue?

steep-lamp-91158

03/24/2025, 9:16 AM

I don't think Ory OAuth2 (Hydra) supports the hierarchic scope strategy 🤔

plain-megabyte-75926

03/24/2025, 11:35 AM

@steep-lamp-91158 This means that the

hierarchic

scope strategy only exists for

OAthkeeper

? Since we would like to use the

hierarchic

scoping mechanism in our upcoming project, do you intend to implement this in the upcoming weeks?

plain-megabyte-75926

03/24/2025, 11:40 AM

Another question, when I use the

wildcard

scope stratgey with scopes

inventory

inventory.product

inventory.bundle

for a OAuth Client, then I'm getting the following error, when requesting the scope

inventory.*

Copy code

Request:
POST <BaseURL>/oauth2/token
{
  "grant_type": "client_credentials",
  "client_id": "c1d049cc-6efa-4b83-a776-69bd84ec089b",
  "client_secret": "0ifDzr.wufYbxYKMhvPolBT-zI",
  "scope": "inventory.*"
}

Response:
{
  "error": "invalid_scope",
  "error_description": "The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'inventory.*'."
}

steep-lamp-91158

03/24/2025, 1:20 PM

As far as I can tell it's not even on the roadmap. You can talk to @magnificent-energy-493 about options to support this.

steep-lamp-91158

03/24/2025, 1:24 PM

On the other question, our gpt bot found some docs regarding this: https://ory-community.slack.com/archives/C0522079BS5/p1742822560741499?thread_ts=1742822532.218629&cid=C0522079BS5

magnificent-energy-493

03/25/2025, 3:06 PM

Hello @plain-megabyte-75926 happy to talk about your use case for this. From a first glance it does look to me like something that would be better solved by Ory Keto/Ory Permissions. You can read a highlevel guide on how to use it here: https://www.ory.sh/docs/keto/guides/simple-access-check-guide

plain-megabyte-75926

03/26/2025, 6:57 AM

Thanks @magnificent-energy-493 for your answer. However, we are using the OAuth Client Credentials flow without a user-context. Therefore, I assume that Ory Keto/Permissions wouldn't help us here, because for M2M communication no roles or permissions are assigned 😕

3 Views

Open in Slack

Previous Next