microsoft
Definition and Assignment of OAuth Scopes
I use OAuth 2.0 'password' and 'client_credentials' grant type to limit access to my API. For the sake of simplification, let's say we have two operations (i.e. API endpoints), where the first operation should be assigned with the scope 'read' and the second operation with the scope 'write'.
As far as I understand, I have to annotate the first operations with the following security tags:
///<security type="oauth2" name="oauth">
/// <description>...</description>
/// <scheme>bearer</scheme>
/// <bearerFormat>JWT</bearerFormat>
/// <flow type="password">
/// <authorizationUrl>...</authorizationUrl>
/// <tokenUrl>...</tokenUrl>
/// <scope name="read">
/// <description>...</description>
/// </scope>
/// </flow>
/// <flow type="clientCredentials">
/// <authorizationUrl>...</authorizationUrl>
/// <tokenUrl>...</tokenUrl>
/// <scope name="read">
/// <description>...</description>
/// </scope>
/// </flow>
///</security>
public void Operation1(...){...}
and the second operation with:
///<security type="oauth2" name="oauth">
/// <description>...</description>
/// <scheme>bearer</scheme>
/// <bearerFormat>JWT</bearerFormat>
/// <flow type="password">
/// <authorizationUrl>...</authorizationUrl>
/// <tokenUrl>...</tokenUrl>
/// <scope name="write">
/// <description>...</description>
/// </scope>
/// </flow>
/// <flow type="clientCredentials">
/// <authorizationUrl>...</authorizationUrl>
/// <tokenUrl>...</tokenUrl>
/// <scope name="write">
/// <description>...</description>
/// </scope>
/// </flow>
///</security>
public void Operation2(...){...}
However, the security declaration for the second operation is completely ignored. Therefore, I assume that the security schema with all available scopes can only be defined once (but where?) and that there is another mechanism for assigning specific scopes to operations. Unfortunately, the wiki does not provide any example explaining the assignment of multiple scopes of the same security schema to multiple operations.
