OAuth scopes
When an app connects to PageSeeder using OAuth it acts as a PageSeeder member. In PageSeeder v6.1 and higher the app no longer has all the permissions that the member has but only those allowed by the scope specified for the app’s OAuth client. The scope consists of one or more scopes described in the following separated by spaces, for example: openid profile email.
- Scopes can only restrict the normal permissions the member has in PageSeeder.
- Scopes cannot give the member more permissions.
- If a scope is not specified for the client then the user only has non-role based permissions such as public group access, get self and create OAuth client.
- For group and project scopes an app can request a scope with less permissions than the client scopes, otherwise it gets the client scopes. For example if the client has
contributorscope the app can requestreviewerorguestscope, otherwise it getscontributorscope. - Any scopes other than
openid,profileandemailrequire PageSeeder v6.1 or higher.
For PageSeeder v6.1 and higher all apps that create OAuth clients should be modified to set the scopes that they require.
General scopes
| Allow these permissions | Scope |
|---|---|
| Get the member’s profile and email details during authentication | openid |
| Get the member’s first name and family name via openid | profile |
| Get the member’s email via openid | email |
|
Allows all the member's usual permissions. In PageSeeder v6.1 this scope is added | all |
Group scopes
The group permissions and their corresponding scopes are listed in the following table. A client can only have one scope from each column and the server scope is overridden by the other scope for groups the member belongs to.
| Restrict to these permissions | In groups the member belongs to | In any group on the server (administrator members only) |
|---|---|---|
| View documents, comments and tasks | guest | server-guest |
| Post and reply to comments/tasks and view the group members list (plus guest permissions) | reviewer | server-reviewer |
| Edit and delete their own comments/tasks, create, edit, upload, move, and archive documents (plus reviewer permissions) | contributor | server-contributor |
| Add and modify the members of the group, edit or archive the comments of other members, configure the group and modify some group properties (plus contributor permissions) | manager | server-manager |
| Approve and close tasks and workflows and create document versions (plus manager permissions) | approver | server-approver |
Project scopes
The project permissions and their corresponding scopes are listed in the following table. A client can only have one scope from each column and the server scope is overridden by the other scope for projects the member belongs to.
| Restrict to these permissions | In projects the member belongs to | In any project on the server (administrator members only) |
|---|---|---|
| Create groups within the project | project-contibutor | server-project-contributor |
| Add and remove members of the project, configure the project and create groups within the project (plus project contributor permissions) | project-manager | server-project-manager |
Other administrator only scopes
| Allow these permissions | For this scope |
|---|---|
| Create new projects and view all projects | project-creator |
| View, add, edit, delete, move, import, export, validate project template files, view server properties and reprocess URL/non-PSML metadata | developer |
| View, add, edit, delete accounts, edit their memberships and impersonate members | account-manager |
| View, add, edit, delete OAuth clients | oauth-manager |
| View, add, edit, delete Webhooks | webhook-manager |