Hydra advanced scope management

[ghost]

Objective : Manage multiple user groups with different scope capabilities within same app.

Usecase : Within same mobile app, some users are moderators with special moderating scopes and normal user only scopes. Other users have access to only user scopes.

Current implementation problem : We could use Ory kratos to manage the user identities and add specific moderating traits for the moderators. We use Hydra to emit PKCE JWT tokens with the required scopes from a valid Kratos authentication.
How do we manage those different groups between Kratos and Hydra particularly on authorisation endpoint to switch between user and moderator scope capability without defining two apps to only provide moderator scopes when specific users should have access to it ?

Is there any intended way to manage different user groups of the same application to only provide certain scopes to those user groups and not all users of the application as it seems to currently be for a specific client app of Hydra ?

Possible solution : Hook with cache before processing the authorisation query to resolve which group of scope that specific user should have access to within one app. Requires an additional group management layer within Hydra.

[vinckr]

Have a look at Ory Keto, maybe this can already solve your problem without any additions to Hydra?

[ghost]

It is a possible solution to use Keto (and waiting for Zanzibar refactor), we are looking into for more granular authorization (specific object level). But it is still good practice to have basic scope management for two different user populations.

[vinckr]

I would have to look into it a bit more, but would one option be to have multiple clients, one for "normal users" and one for "moderators" for example?

Is this related maybe: #2300 ?

Also could you use the aud claim maybe? https://www.ory.sh/hydra/docs/advanced/#audience

That is what I came up with from the top of my head, let me know if I missed the point 😸

[aeneasr]

I don't quite understand the scope use case :/ OAuth2 scope refers to what a user allows a third party app to do in their name. It is different from a permission system (e.g. Ory Keto) that answers who can do what.

If you're using OAuth2 Scope as permissions please reconsider your security architecture.

The OAuth2 Scope does not go away unless the token is revoked. A permission system however needs to be real-time - if you remove the permission the effect must be immediate. OAuth2 is not a protocol that can solve that or is designed to solve that!

Maybe I misunderstand the use case or set up :)

[aeneasr]

@ashley-3r I don't quite understand the details of the use case. Could you, in a simple bullet list, show the things you're trying to do? Including technical details like what endpoints, which payloads. Thanks!