How to model resource level permissions in JWT OAuth2 tokens?

Question

What is the canonical way to encode resource level permissions into a JWT access_token? Or in other words, how do you best encode access to other people's resources?

Is it something like this:

{
  scopes: {
    me: ['user', 'repo'],      // My user
    repo123: ['repo'],         // Someone else's repo
    org541: ['admin', 'repo'], // My org
    org206: ['repo:read']      // Someone else's org
  }
}

Or like this, with namespaced scope tags (in this case <resource>|<scope>:

{
  scopes: ['me|user', 'me|repo', 'repo123|repo', 'org541|admin'... etc]
}

Or something else again?

This applies equally to "roles" or "memberships" or similar tags (and I realise I've mixed the examples above a bit) - the core question remains is how (best) do you distinguish these tags per resource in a single JWT access_token?

Answer 1

I don't know the exact use case you need to implement, but I would probably try to keep the scopes just for API operations. Such as "get a list of repositories". Then a client using the access token can list the repositories it can work with and the resource server verifies the access rights by the username or user groups.

If you wanted to limit the resources available to the client, you could have a scope that would grant access to just a subset (for example just the user's own repositories).

Having resources and their permissions encoded in scopes would make them hard to use (when composing an authentication request, the client would have know resource identifiers) and the permissions may change over the life of the access token.