Defining Scopes for a Resource Server

A scope is a set of permissible actions that a client application can perform on the accessed resources. You can define scopes by providing user claims, such as user attributes and permissions. The client application developer can request for required scopes, which an administrator uses for configuring the resource server in Identity Server (authorization server). However, there is no restriction for any client application to use any of the scopes configured in any resource server. For more information, see Adding a Resource Server. It is recommended to select Require user permission to get consent from the user whenever the scope contains user attributes.

When a user grants client applications access to protected resources, they can perform actions based on permissions defined in the scope.

For example, if you have defined a scope named email and defined permissions associated with this scope, such as read only. A client application that will access the email can only read the content.


  • You can get LDAP-based attributes in a scope.

  • You can configure roles as an OAuth scope and use them to inject with the Identity Injection policy. The role attribute is calculated when a token is sent to UserInfo Endpoint.

  • If you have registered a client application to use binary token, you cannot add user attributes and claims to the token.

Perform the following steps to define scopes and permissions:

  1. Click Devices > Identity Server > Edit > OAuth & OpenID Connect > Resource Server.

  2. Select the resource server name for which you want to define a new scope.

  3. Click New and specify the following details:




    Specify a name for the scope.


    Specify a description for the scope. The consent page shows this description.

    Include claims of type

    Select the type of user’s claim to be used in the scope. You can select any of the following types:

    • User Attributes: Select this option if you require using any of the user’s LDAP attributes in the scope. You can also use virtual attributes in the scope.


      • You can use virtual attributes for LDAP-based attributes and constant values.

      • This option does not work in a client credentials flow.

    • Custom Claims/Permissions: Select this option if you want to restrict specific permissions for this scope. This option is useful when a client application requires specific permission, such as read, write and so on to access a resource.

      For example, when you configure a read permission for the scope, the client application can request for this scope and get the token.

    Require user permission

    Select this option if this scope requires user’s consent before providing access to the protected resources. It is recommended to keep this option selected when user attribute is used in the scope.

    In a client credentials flow, the token does not include scopes that require user permissions. Therefore, deselect this option. When the option is deselected, the claims can be fetched from the UserInfo Endpoint.

    • When this option is enabled and the prompt=consent parameter is sent in the authorization endpoint, the user consent screen is displayed.

    • When this option is enabled, and the prompt=none parameter is passed in the authorization endpoint, the user consent screen is not displayed.

    • When this option is disabled, and the prompt=none parameter is passed in the authorization endpoint, the user consent screen is not displayed.

    • When this option is disabled, and the prompt=consent parameter is passed in the authorization endpoint, the user consent screen is not displayed.

    NOTE:If you deselect this option, the scope is not listed in the scopes_supported field of the metadata endpoint. The claims_supported field of the metadata endpoint does not display the claims for this scope even if the user attribute or the custom claims/permissions are configured.

    Allow modification in consent

    Select this option to allow modification in consent. When selected, the resource owner can choose not to share the scope with the client application.

    The consent page will display a check box against each scope to choose the scopes that can be shared with the client applications.

  4. Click Next and continue with Configuring User Claims or Permission in Scope.