Skip to content

Move to scope-based authorization #5799

Description

@paullatzelsperger

Feature Request

Based on Decision Record 2026-06-06, we move away from role-based-access-control toward scope-based access control.

Which Areas Would Be Affected?

oauth2 authn/authz libs, management API, downstream projects (IdentityHub)

Why Is the Feature Desired?

the role claim as we have it today is non-standardized, which effectively means that IdP's cannot be replaced seamlessly. Seeing how EDC is a platform rather than a suite of applications, it is desirable to stick to standards as close as possible, eliminating all custom code as much as possible.

A purely scope-based authz scheme gives us that.

Who will sponsor this feature?

Please @-mention the committer that will sponsor your feature.

Solution Proposal

  1. Implement Scope model: should be additive, Scope value class that parses the scope, and a ScopeMatcher that checks if a scope is granted or not (implicitly or explicitly)
  2. Move elevation (*:admin) from roles into scopes
  3. Update controller annotations
  4. Drop participant_context_id claim, use sub as identity carrier

Note: similar steps need to be taken in downstream projects.

Metadata

Metadata

Labels

apiFeature related to the (REST) apibreaking-changeWill require manual intervention for version updateenhancementNew feature or requesttriageall new issues awaiting classification

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions