openid_connect | OpenID Connect Server & Client Library | Authentication library

Most likely you have some strong constraints on some particular gems in your Gemfile that's it's blocking bundle from updating a dependency.

To make this work you need to use --from-env-file instead --from-file. And the file containing the variables should be in the plain text.

To create a Secret from one or more files, use --from-file or --from-env-file. The file must be plaintext, but the extension of the file does not matter.

When you create the Secret using --from-file, the value of the Secret is the entire contents of the file. If the value of your Secret contains multiple key-value pairs, use --from-env-file instead.

File provider.yaml with variables:

So there were two errors. The first was that the "--" after the client id were not supposed to be there. I'm not sure why in yahoo's example they have them there, but they aren't needed. The second reason is that my return uri was capitalized in my code, but not capitalized in my app settings. Now it works!

A possible solution would be like the following:

How can I implement the third application so that it can support non-specific, free-style permissions? Using a JWT Token that includes the user's permissions as scopes.

How can I store those permissions?

• Store your user Model on the third application, along with the permission/roles for each user.
• When the user log in, they will be redirected to your third application. On successful authentication, the third application can then generate an access_token in the form of a JWT token which includes the permissions that the user has as scopes.
• You can then have your front-end include this access_token on API requests to the client applications. The client applications can validate the access_token and check the scopes/permissions for the user to determine if the user can access certain data.

How should I transfer the permissions to the client applications? Your client applications can validate/read the scopes included in the JWT token on each API request

How can I query for some permissions? Not sure what this means, I can interpret 2 different things:

1. Take Github as an example, a Github App can specify that they need read access and email access (but not the write access), and the user can authenticate and only approve read and email access. In this case, the Authorization Server (Github) would generate a JWT that only includes scopes for read and email even though the user has other permissions available.
2. If you're talking about the client app wanting to know if the user has certain permission, then it can just look at the scopes included in the JWT. You might need to define the required scope for each endpoint in the client application.

Should I store all permissions in the third application and query for them each time when I the user asks for some resource, or should I save them locally and update them at some points?

The permissions for each user can be stored in the third application, and the client applications just trust the scopes included in the JWT. Since the access_token should be short lived (for example it expires in 1 hour), changes on the user's permission level can be handled by renewing the access_token.