How does Oauth scopes affect the authentication/authentication flow

[peterMuriuki]

we use Oauth2 for authorization. The authorization server is keycloak which as expected has support for different scopes which can be used during authentication. Example of these scopes include profile, openId, email, etc.

How do these scopes affect the authentication/authorization flow. Authorization in this sense encompasses all requests that the logged in users would make or rather all interactions they would have with resources stored on both the resource and authorization server, for the duration of the session in which they are authenticated.

[peterMuriuki]

My Findings:

We use 2-layered protocol for the full authorization/authentication flow, Oauth2 which handles authentication and OpenId for user authorization.

https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes

OpenID Connect (OIDC) scopes are used by an application during Authorization to authorize access to a user's details, like name and picture.

The scopes an application should request depend on which user attributes the application needs

The userinfo endpoint is a way to get openId standard claims, which can also alternatively be extracted from a JWT token.

Refer here to see the claims will be returned given the default openId scopes

What does this mean for us:
We need at-least 2 scopes for login to work:

1. openId - to tell keycloak that it should use OIDC workflow
2. profile - to get some of the user information, specifically the name and username claims

Furthermore it seems we can use custom scopes to define access privileges to other resources stored on resource servers. This would tie in well with work we are doing to integrate Role based access but is out of scope for this discussion and phase of development.