Authorized Scopes

If you are making API requests on behalf of a less-trusted entity that you only know to possess a subset of your scopes, you can specify the scopes a given request is authorized to rely on. If the request cannot be authorized with the restricted set of scopes you specified, it will fail, even though you may in fact have the scopes required to conduct the request. In effect, you can reduce the available scopes for each API request.

Example, imagine that CRAN service would like to create Taskcluster tasks whenever an R project is updated in the archive. However, different R packages have different levels of trust and require different scopes. The tc-cran service runs with the superset of all scopes that might be required (perhaps assume:project:cran:pkg:*), and calls queue.createTask with authorizedScopes set to ['assume:project:cran:pkg:paleotree'] for paleotree tasks. The scopes available for creating that task are then limited to those assigned to the paleotree package via its role.

Authorized scopes are specified in the Hawk ext property with the authorizedScopes property. The Taskcluster client packages all contain support for this functionality.

  authorizedScopes:  ['scopeA', 'scopeC']

Remark, it is possible to use authorized scopes in combination with the certificate used temporary credentials. Just include both fields in the JSON object before base64 encoding into the ext property.

Note the way Hawk works, the ext property is covered by the HMAC signature. So it's not possible to modify this property on-the-fly.