Configuring scopes for a native OAuth provider

Access tokens contain authorization for specific scopes.

About this task

Client applications can request only the scopes or a subset of the scopes that you define here. The scopes are included in the access tokens that are generated from the provider. When an OAuth protected API is invoked, the gateway checks the scopes carried in the access tokens against the list of allowed scopes in the security definition for the API to determine whether to grant access.

In addition, you can enforce advanced scope checks. The advanced scope check URLs are invoked after application authentication or after user authentication based on which URLs are configured. The final scope permission that is granted by the access token is the result of all scope checks.

Per IETF RFC 6749, the value of the scope parameter is a list of space-delimited, case-sensitive strings. For more information, see The OAuth 2.0 Authorization Framework.

One of the following roles is required to configure scopes for a native OAuth Provider:

  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings:Manage permissions

You can select the scope settings page for a native OAuth provider immediately on completion of the creation operation detailed in Configuring a native OAuth provider, or you can update the scope settings for an existing native OAuth provider. If you want to update the scope settings for an existing native OAuth provider, complete the following steps before following the procedure described in this topic:

  1. Click Resources icon Resources > OAuth Providers.
  2. Select the required native OAuth provider.

Procedure

Perform the following steps to configure the scopes for the access token:

  1. Click Scopes in the sidebar menu. The currently configured scopes are listed. Review and update the scopes as required.
    Field Description
    sample_scope_1 Scope for token
    additional scopes Scope for token
    In the Default scopes section, select the default scopes to be used if the API request doesn't contain any scopes.

    If the user authorization method is set to Default HTML Form in the User Security settings, all scopes specified here are added automatically to the authorization consent form.

  2. Advanced scope check before token generation. This setting specifies the scope check endpoint where additional scope verification is performed in addition to the basic scopes. The advanced scope check URLs are invoked after application authentication or after owner authentication based on which URLs are configured. The scopes are included in the token and will overwrite any previous scopes.
    Field Description
    Application scope check Allow extra verification by running a scope check from an endpoint. Enter the endpoint and an optional TLS Profile to use for an application scope check.
    Owner scope check Further refine the scope with an additional check. Enter the endpoint and an optional TLS Profile to use for an owner scope check.
    For more information about scope, see Scope
  3. Advanced scope check after token generation. This setting specifies an additional scope check at the API consumer level to verify compliance with the scope requirements of the API.
    Field Description
    Enabled Select the check box to enable the advanced scope check after token validation. Enter an optional default validator endpoint.
    Use endpoint from API Select the check box to use the endpoint from the API, or clear the check box to override the endpoint from the API.
    For more information about scope, see Scope
  4. Click Save when done.

Results

Depending upon the visibility setting, the OAuth Provider with the specified scopes can be used to secure the APIs in catalog.