What is ACL and how it relates to OAuth

[RutsuKun]

If I understand correctly if the client has ACL for a given group, the user who wants scopes will be checked under the point of being in the given group and are scopes available for the group? Is it the same with ACL users in the client? ( the user who wants scopes will be checked for presence in the client in the users ACL and if scopes are allowed for the given user? )

If possible, I would ask for a detailed explanation of how the ACL works in Meiling Gatekeeper,

Regards, RutsuKun

[Alex4386]

Hi, those ACLs for client is meant for admins of Meiling Gatekeeper (owner of the oAuth2 server) to control available scopes that can be authorized in specified client.

You can think OAuth2ClientACL as following:
Google oAuth2 client in Cloud Console can not use google drive scopes by default. but you can use it afterwards when you enable it in google cloud console.

In short, Adding a scope on client acl will enable the client to create token with the scope mentioned above. If the requested auth has scope that is not allowed in ACL, meiling will simply decline generating token/authorization code since that scope is not allowed for the client.

[RutsuKun]

And if client doesn't have any ACL (no groups or users) then client can use every scopes?

[RutsuKun]

From what I noticed, Keycloak (Oauth2 and oidc provider) generates a token if the client does not have access to a given scope but simply does not include that scope in the token

[Alex4386]

From what I noticed, Keycloak (Oauth2 and oidc provider) generates a token if the client does not have access to a given scope but simply does not include that scope in the token

meiling behaves differently in this scenario.
Meiling behaves more like Google's oAuth2 server since it was designed after it.

In meiling, instead of generating authorization code/token, It returns an error that code/token could not be generated since client does not have allowed scope that can meet with all requested scopes.
(will add reference to code later on)

[Alex4386]

And if client doesn't have any ACL (no groups or users) then client can use every scopes?

the group and users acl is different story since it is for managing access (who can use the app i.e. controlling who can authorize using client)

but this was not implemented at the moment.

[RutsuKun]

I think now I understand it more, if I have any questions I will try to start discussions.