Skip to content
This repository was archived by the owner on Sep 10, 2024. It is now read-only.

Commit 71039a6

Browse files
hughnssandhose
hughns
authored and
sandhose
committed
Reorder MAS scopes in list
1 parent eb86f44 commit 71039a6

File tree

1 file changed

+11
-11
lines changed

1 file changed

+11
-11
lines changed

docs/reference/scopes.md

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ The [default policy](../topics/policy.md#authorization-requests) shipped with MA
88
- [`urn:matrix:org.matrix.msc2967.client:device:[device id]`](#urnmatrixorgmatrixmsc2967clientdevicedevice-id)
99
- [`urn:matrix:org.matrix.msc2967.client:guest`](#urnmatrixorgmatrixmsc2967clientguest)
1010
- [`urn:synapse:admin:*`](#urnsynapseadmin)
11-
- [`urn:mas:graphql:*`](#urnmasgraphql)
1211
- [`urn:mas:admin`](#urnmasadmin)
12+
- [`urn:mas:graphql:*`](#urnmasgraphql)
1313

1414
## OpenID Connect scopes
1515

@@ -79,16 +79,6 @@ It allows:
7979

8080
MAS also has a few scopes that are specific to the MAS implementation.
8181

82-
### `urn:mas:graphql:*`
83-
84-
This scope grants access to the whole MAS [Internal GraphQL API].
85-
What permission the session has on the API is determined by the entity that the session is authorized as.
86-
When [authorized as a user](../topics/authorization.md#authorized-as-a-user-or-authorized-as-a-client) (and without the `mas:urn:admin` scope), this will usually allow querying and mutating the user's own data.
87-
88-
The default policy allows any client and any user to request this scope.
89-
90-
However, as noted in the [Internal GraphQL API] documentation, access to the Internal GraphQL API from outside of MAS itself is deprecated in favour of the [Admin API].
91-
9282
### `urn:mas:admin`
9383

9484
This scope grants full access to the MAS [Admin API].
@@ -102,6 +92,16 @@ It allows:
10292
- for the "client credentials" grant:
10393
- clients that are listed in the [`policy.data.admin_clients`](../reference/configuration.md#policy) configuration option
10494

95+
### `urn:mas:graphql:*`
96+
97+
This scope grants access to the whole MAS [Internal GraphQL API].
98+
What permission the session has on the API is determined by the entity that the session is authorized as.
99+
When [authorized as a user](../topics/authorization.md#authorized-as-a-user-or-authorized-as-a-client) (and without the `mas:urn:admin` scope), this will usually allow querying and mutating the user's own data.
100+
101+
The default policy allows any client and any user to request this scope.
102+
103+
However, as noted in the [Internal GraphQL API] documentation, access to the Internal GraphQL API from outside of MAS itself is deprecated in favour of the [Admin API].
104+
105105
[authorization code]: ../topics/authorization.md#authorization-code-grant
106106
[device authorization]: ../topics/authorization.md#device-authorization-grant
107107
[Internal GraphQL API]: ../development/graphql.md

0 commit comments

Comments
 (0)