From 1ef32d6d543598b2f16ff61acc55178edbef6b6e Mon Sep 17 00:00:00 2001 From: wangsijie Date: Mon, 13 May 2024 10:18:10 +0800 Subject: [PATCH] chore: add changeset for org api resource (#5719) chore: add change set for org api resource --- .changeset/thirty-cameras-explain.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .changeset/thirty-cameras-explain.md diff --git a/.changeset/thirty-cameras-explain.md b/.changeset/thirty-cameras-explain.md new file mode 100644 index 000000000..d8cf79297 --- /dev/null +++ b/.changeset/thirty-cameras-explain.md @@ -0,0 +1,13 @@ +--- +"@logto/core": minor +--- + +update token grant to support organization API resources + +Organization roles can be assigned with scopes (permissions) from the API resources, and the token grant now supports this. + +Once the user is consent to an application with "resources" assigned, the token grant will now include the scopes inherited from all assigned organization roles. + +Users can narrow down the scopes by passing `organization_id` when granting an access token, and the token will only include the scopes from the organization roles of the specified organization, the access token will contain an extra claim `organization_id` to indicate the organization the token is granted for. Then the resource server can use this claim to protect the resource with additional organization-level authorization. + +This change is backward compatible, and the existing token grant will continue to work as before.