Thanks for the replies!
I guess the main thing I'm still struggling with is the use of OAuth "scopes" with FusionAuth. While our primary use for FA would definitely be authenticating our own applications using roles+groups for authorization (and where access to full user and registration info is "ok"), we would also need to use FA to delegate limited application access and user info to 3rd party applications.
For these 3rd party systems I was thinking the best route would be via OAuth2/OIDC, returning an access token limited to some scopes the remote application has access to, and an id token with limited OIDC user info claims. From my (admittedly limited) use of OAuth2 services implemented by others (GitHub, Auth0, etc) this is controlled by the scopes supplied (and agreed to) during the authorization request.
For example, OIDC has several scopes defined for requesting user info claims (profile, email, address, phone) during authorization. GitHub has many scopes defined for specific API acccess, like "repo:status" to allow API access to commit status messages.
But from what I can tell, scopes aren't really used by FA outside of:
- "openid" - which adds the id_token and user info claims from all of OIDC's scopes (profile, email, address and phone).
- "offline_access" - which adds a refresh token
The JWT lambdas definitely seemed promising, and I'm actually using them to extend the access token with some information, but AFAIKT they do not have any information about the scope(s) authorized to work with.
So at some level I still feel like I'm either overlooking something key, or perhaps our use case is just a little outside FA's focus. At this point we're still just kicking the tires, but I'd love to figure out a solution, as FA feels more comfortable and organized than alternatives in literally every other way -- which means a lot.