Trusted applications: new scope permission- "update" (v.22, breaking change)

Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account.

That was part of the definition of "scope". Or simply said,

scope = permission

Starting with version 22, a new "update" scope is supported. It applies to all external applications that modify data (e.g. create or update). They must now explicitly "own" it.

Take a look at the definition of our trusted application, corresponding to our Domain API.

mceclip0.png

As you see it has the update scope. And because of this it can modify data.

What's the advantage of the update scope?

Well, this is a de facto standard, authorizing not the user itself, but the trusted application. It's like saying that:

Give this trusted application permission for updating data.

This way, even if the trusted application is authenticated as an administrator, but it doesn't have the "update" scope, it won't be able to modify nothing.

What if I try to update, but my trusted app doesn't have the "update" scope?

You'll receive an error:

Cannot access resource "Update data", because your application does not have the necessary permissions!

Accessing the resource requires scope of the trusted application to include "update", but "my-trusted-app" does not include it.

Does this change affect me?

Yes, if your external application needs to modify data (e.g., creating an entity, changing the state of a document, etc.) via a trusted application, that doesn't have an "update" scope.

What to do if this change affects me?

The scope of the trusted application should be updated.

 

---

More information is available in our official documentation:

https://docs.erp.net/dev/topics/authentication/trusted-applications.html#scope

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk