OAuth permission scopes

Where can i find the OAuth permission scopes of ERPNext?

Permissions to individual doc types like Products, Customer etc are controlled by roles. OAuth is used to login to the application securely via secure token provided. Here is a link related oauth you may find useful

1 Like

Right now the validation of scope is based on 2 things

  1. The scopes mentioned in OAuth client are checked during requests
  2. If one of the scope mentioned in OAuth client and request is openid then the id_token jwt signed with client secret is sent along with access token.

Scopes are of limited use for restricting access as of now,
more powerful roles and permission already exists

Only if some how we can connect roles and scope properly. And validate them for all oauth2 requests.

The user from the token is set as logged in user, this directly gives controls to role permission. scope don’t restrict anything there after.
Kind of like GitHub’s OAUTH2​

I think I have a design to improve on this and I am currently working in order to make it work.

Here is my thought on the Oauth scopes improvements:

Documents

  • A scope with the name of the document type will allow the user to access this document type
  • If you want the user to access Sales Order, give the sales_order scope

API Methods

  • Add the scope to a new parameter in the whitelist decorator, if the requesting user has one of its scopes in the decorator it gets access

There is one last missing piece for the “Oauth scoping” and it is Read/Write access so if anybody has an idea for this just take it out and discuss about is :slight_smile:

I am also thinking about creating a generic scope called “all” that would give total permission.

The roles and permission would be applied just after checking the scope permission.

What do you think on this?

1 Like

Currently Scope is a text field.
I think adding Child Table for scopes is also better idea. That way sales_order will be a link field for doctype.

Child table fields:
DocType: Link option-DocType
Read: check
Write: check
Create: check
Delete: check

Something Like Permission Rules Child Doctype. Instead of Role, DocType and perhaps drop the level column if not used?

Thank you every body. And i have another question; What we need all to connect to ERPNext? And how can i create a developer account in ERPNExt?

OAuth 2 Client has to be added to your instance. This works for cloud account as well as hosted systems. System Manager Role is able to add OAuth client.

More:

http://frappe.github.io/frappe/user/en/guides/integration/

Dev details: OAuth 2 provider and OpenID Connect for Frappe Apps

Thank you revant_one,

To integrate the app to ERPNext we need to have developer account, How can i create a developer account in ERPNExt?

There is no separate developer account. If you are cloud user I.e. erpnext.com user you can add oauth client as a system manager. This will be production setup of your app/client interaction.

If you are looking for a sandbox like setup. You’ll have to host your own local or online instance and test it there.