A scope is a set of permissible actions that a client application can perform on the accessed resources. You can define scopes by providing user claims, such as user attributes and permissions. The client application developer can request for required scopes, which an administrator uses for configuring the resource server in Identity Server (authorization server). However, there is no restriction for any client application to use any of the scopes configured in any resource server. For more information, see Adding a Resource Server. It is recommended to select Require user permission to get consent from the user whenever the scope contains user attributes.
When a user grants client applications access to protected resources, they can perform actions based on permissions defined in the scope.
For example, if you have defined a scope named email and defined permissions associated with this scope, such as read only. A client application that will access the email can only read the content.
NOTE:
You can get LDAP-based attributes in a scope.
You can configure roles as an OAuth scope and use them to inject with the Identity Injection policy. The role attribute is calculated when a token is sent to UserInfo Endpoint.
If you have registered a client application to use binary token, you cannot add user attributes and claims to the token.
Perform the following steps to define scopes and permissions:
Click Devices > Identity Server > Edit > OAuth & OpenID Connect > Resource Server.
Select the resource server name for which you want to define a new scope.
Click New and specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name for the scope. |
|
Description |
Specify a description for the scope. The consent page shows this description. |
|
Include claims of type |
Select the type of user’s claim to be used in the scope. You can select any of the following types:
|
|
Require user permission |
Select this option if this scope requires user’s consent before providing access to the protected resources. It is recommended to keep this option selected when user attribute is used in the scope. In a client credentials flow, the token does not include scopes that require user permissions. Therefore, deselect this option. When the option is deselected, the claims can be fetched from the UserInfo Endpoint.
NOTE:If you deselect this option, the scope is not listed in the scopes_supported field of the metadata endpoint. The claims_supported field of the metadata endpoint does not display the claims for this scope even if the user attribute or the custom claims/permissions are configured. |
|
Allow modification in consent |
Select this option to allow modification in consent. When selected, the resource owner can choose not to share the scope with the client application. The consent page will display a check box against each scope to choose the scopes that can be shared with the client applications. |
Click Next and continue with Configuring User Claims or Permission in Scope.