Feature Request
Based on Decision Record 2026-06-06, we move away from role-based-access-control toward scope-based access control.
Which Areas Would Be Affected?
oauth2 authn/authz libs, management API, downstream projects (IdentityHub)
Why Is the Feature Desired?
the role claim as we have it today is non-standardized, which effectively means that IdP's cannot be replaced seamlessly. Seeing how EDC is a platform rather than a suite of applications, it is desirable to stick to standards as close as possible, eliminating all custom code as much as possible.
A purely scope-based authz scheme gives us that.
Who will sponsor this feature?
Please @-mention the committer that will sponsor your feature.
Solution Proposal
- Implement Scope model: should be additive,
Scope value class that parses the scope, and a ScopeMatcher that checks if a scope is granted or not (implicitly or explicitly)
- Move elevation (
*:admin) from roles into scopes
- Update controller annotations
- Drop
participant_context_id claim, use sub as identity carrier
Note: similar steps need to be taken in downstream projects.
Feature Request
Based on Decision Record 2026-06-06, we move away from role-based-access-control toward scope-based access control.
Which Areas Would Be Affected?
oauth2 authn/authz libs, management API, downstream projects (IdentityHub)
Why Is the Feature Desired?
the
roleclaim as we have it today is non-standardized, which effectively means that IdP's cannot be replaced seamlessly. Seeing how EDC is a platform rather than a suite of applications, it is desirable to stick to standards as close as possible, eliminating all custom code as much as possible.A purely scope-based authz scheme gives us that.
Who will sponsor this feature?
Please @-mention the committer that will sponsor your feature.
Solution Proposal
Scopevalue class that parses the scope, and aScopeMatcherthat checks if a scope is granted or not (implicitly or explicitly)*:admin) from roles into scopesparticipant_context_idclaim, usesubas identity carrierNote: similar steps need to be taken in downstream projects.