OAuth Scopes and user permissions
OAuth Scopes
Custom Applications can use any of the available Composable Commerce APIs. This allows you to extend the functionality and build custom features for any of the Composable Commerce APIs and the Merchant Center.
Therefore, Custom Applications must specify the list of OAuth Scopes needed by the application.
For example, if you are developing a Custom Application to manage Channels you would probably need the OAuth Scopes view_products
and manage_products
. On top of that, you might decide to also view Customers information.
To fulfill these requirements, your Custom Application would require the following OAuth Scopes:
view_products
,view_customers
manage_products
These OAuth Scopes must be specified in your Custom Application config, using the oAuthScopes
field.
{"oAuthScopes": {"view": ["view_products", "view_customers"],"manage": ["manage_products"]}}
Notice here how the OAuth Scopes are grouped by the two fields view
and manage
.
This grouping determines the mapping and relation between OAuth Scopes and user permissions.
Permission groups
This feature is available from version 21.21.0
onwards.
Defining oAuthScopes
in the Custom Application config yields the default permision group which allows using permissions limited to 1 unique pair (view/manage) specific to the Custom Application. Default permission pair can cover access control needs of, for example, single-purpose oriented Custom Applications or in case of only one team using the application.
However, in cases where more granular access control is needed, for example, only one team accross the organization allowed to manage discount codes, the default permission pair is not enough.
For more granular permissions additional OAuth Scopes can be requested as part of various additional permission groups.
These additional OAuth Scopes must be specified in your Custom Application config, using the additionalOAuthScopes
field.
In the following example, permission group named team-a
allows to manage orders but not manage discount codes, while permission group named team-b
allows both.
{"oAuthScopes": {"view": ["view_products", "view_customers"],"manage": ["manage_products"]},"additionalOAuthScopes": [{"name": "team-a","view": [],"manage": ["manage_orders"]},{"name": "team-b","view": [],"manage": ["manage_orders", "manage_discount_codes"]}]}
User permissions
In the Merchant Center, you can assign user permissions to Teams to grant or restrict access to certain parts and functionalities of the Merchant Center. See user permissions in Merchant Center for more information.
The same concepts apply for Custom Applications as well. Once your Custom Application has been installed in your Organization, you can assign user permissions for your Custom Application to each specific Team.
Each Custom Application gets a unique pair of user permissions: "view" and "manage."
- When assigning "view"-only permission to a Team, only the
view_
OAuth Scopes are used to authorize API requests. - When assigning "manage" permission to a Team, both
view_
andmanage_
OAuth Scopes are used to authorize API requests.
The permission names are unique to each Custom Application and, by default, they derive from the entryPointUriPath
, based on the following format: {View,Manage}<EntryPointUriPath>
.
Here are some examples:
entryPointUriPath | User permission |
---|---|
avengers | {View,Manage}Avengers |
the-avengers | {View,Manage}TheAvengers |
the_avengers | {View,Manage}The_Avengers |
avengers-01 | {View,Manage}Avengers/01 |
avengers_01 | {View,Manage}Avengers_01 |
When using additional permission groups, the permission name is derived from the entryPointUriPath
(same as the default group) plus the group name, based on the following format: {View,Manage}<EntryPointUriPath><GroupName>
Here are some examples:
entryPointUriPath | Permission group name | User permission |
---|---|---|
avengers | thor | {View,Manage}AvengersThor |
the-avengers | iron-man | {View,Manage}TheAvengersIronMan |
Ultimately, user permissions should be applied and enforced in the actual Custom Application code. For example to restrict access to certain pages, or to deactivate a button, etc.
To learn more about it, head over to the Permissions in the development section.