Scopes

All OAuth Scopes supported by SparqFest and their descriptions.

Written by George Reese

Last published at: February 28th, 2023

NOTE: This documentation is currently in progress. We are providing it as a preview for those developers who have expressed interest in getting an early start.

Access to resources in a SparqFest application is a combination of what resources the user is allowed to access and what access that user has granted to the client they are using. Even if a user grants a client greater access than that user has, the application cannot take any actions not supported by the user's access rights. On the other hand, clients are rarely allowed to do everything a user has access to do. Clients should request access only to the resources they need and nothing more.

In OAuth, client access is determined by scopes.

Structure of a SparqFest OAuth Scope

SparqFest structures scopes in a colon-separated heirarchy in which the last element is an action to be taken against the resource specified by the rest of the scope:

festival:account:submitter:read

In this example, the scope grants read access to submitter information.

A single scope can also represent multiple actions:

  • festival:account:people:submitter:read,write
  • festival:account:people:submitter

The former is short-hand for two separate scopes: festival:account:people:submitter:read and festival:account:people:submitter:write.

The latter grants access to perform any action on submitters.

Common Actions

The list of actions is dependent on the resource in question. In general, however, there are four core actions:

  • create
  • delete
  • read
  • update

Where a resource supports other, finer levels of control, those actions are documented with the scope.

Scopes

festival:[create,delete,read,update]

Global access for the specified actions to all resources in a festival.

festival:festival:[read,update]

Access to the festival resource.

Account API Scopes

festival:account:[create,delete,read,update]

Access for the specified actions to all resources under the “account” API.

festival:account:people:[create,delete,read,update]

Access for the specified actions against all classes of SparqFest users.

festival:account:people:creator:[read,update]

Access for the specified actions against festival creators. 

festival:account:people:judge:[read,update]

Access for the specified actions against festival judges. The “delete” scope is not for deleting the user record, but instead grants the ability to remove the user as a judge from a specific selection.

festival:account:people:staff:[create,delete,read,update]

Access for the specified actions against festival staff members. The “delete” scope is not for deleting the user record, but instead grants the ability to remove the user's staff access.

festival:account:people:submitter:[create,delete,read,update]

Access for the specified actions against SparqFest submitter records. Submitters may or may not yet be registered users. Creating submitters does not create a user record and deleting a submitter does not delete any user record that might exist.