OAuth Scope设计与资源服务器授权策略最佳实践

OAuth Scope设计与资源服务器授权策略最佳实践概述良好的Scope设计与执行可实现最小授权与清晰边界。本文给出Scope命名约定、策略映射与资源服务器侧的统一执行示例。Scope命名约定<resource>:<action>

orders:read

orders:write

users:read

users:write

策略映射type Policy = { route: string; method: string; requiredScope?: string }

const policies: Policy[] = [

{ route: '/orders', method: 'GET', requiredScope: 'orders:read' },

{ route: '/orders', method: 'POST', requiredScope: 'orders:write' },

{ route: '/users', method: 'GET', requiredScope: 'users:read' }

]

function requiredScopeFor(route: string, method: string): string | undefined {

return policies.find(p => p.route === route && p.method === method)?.requiredScope

}

资源服务器执行type Token = { sub: string; scope: string[]; exp: number }

function authorize(route: string, method: string, token: Token): { allowed: boolean; reason?: string } {

const required = requiredScopeFor(route, method)

if (!required) return { allowed: false, reason: 'policy_missing' } // 默认拒绝

const allowed = token.scope.includes(required)

return allowed ? { allowed } : { allowed: false, reason: 'scope_missing' }

}

运维要点Scope遵循资源:动作命名，避免模糊或过宽权限资源服务器默认拒绝并基于策略执行最小授权在审计中记录缺失策略与权限拒绝，驱动策略完善通过一致的命名与统一执行，可在OAuth体系中实现清晰边界与最小授权。