I have user_master table, role_master table and a child table called user_roles which have references of user id and role id which indicates which user belongs to which role.
I have one more permission table which indicates which permissions belong to which roles.
For example:
user master table:
id user_master password
1 John some_md5
2 Jane some_md5
role_master table:
id role_name
1 Administrator
2 Data entry operator
user_roles:
id user_id role_id
1 1 1
2 2 2
permissions:
id permission_name role_id
1 content.create 1
2 content.create 2
3 content.delete 1
In Laravel passport token scope doc, its mentioned that we can pass the token scopes in AuthServiceProvider. But in this case, the roles and permissions scope are dynamic so is it best practice to load them in AuthServiceProvider from database table?
And in oauth/token API, we are supposed to pass the scope. But as per this dynamic example, we can not pass * as scope because some roles have limited accessibility and some roles can access everything. So once we have user name and password sent as POST from web/mobile applications, then how we can pass the scope because before oauth/token triggers, we will not have user roles and scope information.
Any help really appreciated. Thanks!
