# OAuth Scopes and Least Privilege

This notebook explores how OAuth scopes should be designed
to enforce least privilege, especially for AI agents and tools.

Scopes are NOT implementation details.
They are security contracts.

## What a Scope Really Is

A scope is NOT:
- a role
- a user type
- a UI permission

A scope IS:
- a contract between Authorization Server and Resource Server
- a promise of what the token may be used for


## Why Over-Broad Scopes Are Dangerous

If a token has:
scope = "admin"

Then:
- It may authorize actions the client never intended
- It becomes impossible to reason about blast radius
- AI agents can escalate actions unintentionally



## Principles of Good Scope Design

1. Scopes should be action-oriented
2. Scopes should be resource-specific
3. Scopes should be minimally sufficient
4. Scopes should compose cleanly
5. Scopes should be auditable


## Example: Naive vs Well-Designed Scopes

❌ Naive:
scope = "read write"

✅ Better:
scope = "research.search research.view"

Why?
- Explicit intent
- Clear enforcement
- Easy revocation


In [None]:
def require_scope(token_data, required_scope):
    scopes = token_data["scope"].split()
    assert required_scope in scopes, f"missing scope: {required_scope}"


## Why AI Agents Need Better Scopes

AI agents:
- Chain actions
- Call tools dynamically
- Operate continuously

Therefore:
- Over-broad scopes amplify mistakes
- Narrow scopes limit damage

## Mapping OAuth Scopes to MCP Tools

Example mapping:

- scope: "research.search"
  → tool: search_papers

- scope: "research.download"
  → tool: download_pdf

- scope: "research.summarize"
  → tool: summarize_document

If the token lacks scope:
→ tool MUST NOT run

## Scopes and RAG Document Access

Example:
- scope: "doc.read:cardiology"
- scope: "doc.read:oncology"

Token scopes determine:
- which embeddings may be retrieved
- which documents may be surfaced

Authorization happens BEFORE generation.


## Scope Design Summary

- Scopes are contracts, not labels
- Narrow scopes reduce blast radius
- Resource Servers only enforce, never interpret
- AI agents magnify scope mistakes
- Good scope design enables safe automation
