Skip to main content

Scopes

Scopes are OAuth standard-defined mechanisms that allow an application to request limited, granular access to users' data. A client application can request one or more allowed scopes. The scope information is then added in the claim scope of the access token issued to the client application. Note, in Identity Cloud the consent is always implicitly given, as there is no user-consent screen.

Identity Cloud supports predefined scopes and custom scopes. Predefined scopes include offline_access and openid while custom scopes can be used by any of your applications that need access to particular sets of user data.

Predefined scopes

Currently, there are two predefined scopes:

  • offline_access and
  • openid with its constituent address, email, phone, and profile scope values.

When you use the offline_access scope, a refresh token is issued and added to the response: See OpenID Connect Core 1.0 on Offline Access.

When you request address, email, phone, or profile scopes, using the issued access token to call the userinfo endpoint adds additional user information corresponding to the requested scopes to the response. See OpenID Connect Core 1.0 on Requesting Claims using Scope Values.

Custom scopes

The custom scopes need to match verbatim the custom scopes used and expected by your applications.

Under Applications > Custom scopes, you have the following options to configure custom scopes and their attributes:

View custom scopes

Under Application management > Custom scopes, all custom scopes are listed.

The custom scopes are ordered alphabetically by their name. Each page displays a maximum of 20 custom scopes. With the arrow buttons on the bottom left you can go to the Next page, Previous page, First Page and Last page.

Create custom scopes

To create a new custom scope:

  1. Go to Application management > Custom scopes click Create scope.
  2. Define your custom scope with a name that exactly matches the OAuth scope that your application uses. This is the value that will be passed on to your application.
  3. Add a brief description to identify the scope.
  4. Click Create.
Create custom scope

Edit custom scopes

To edit an existing custom scope:

  1. Go to Application management > Custom scopes click Edit next to the scope you want to modify.
  2. Edit the name or the description.
  3. Click Save.

Delete custom scopes

To delete a custom scope:

  1. Go to Application management > Custom scopes.
  2. Click Delete next to the custom scope you want to remove.
  3. Confirm that you want to delete the custom scope.
  4. Click Delete scope.
info

If you delete a custom scope, the scope will be removed from all the applications it is assigned to.

Delete custom scope

Custom scopes attributes

  • Name: The name of the custom scope. The Name is mandatory and has to be unique. It can contain alphanumeric characters and underscore only. The length of the Name is at most 30 characters.
  • Description: You can optionally set a description to provide further information about the custom scope. The length of the Description is at most 120 characters.

Configure allowed scopes

Assign scopes to applications

You can assign predefined or custom scopes to your applications of protocol type OAuth 2.0/OIDC. By assigning scopes to applications you specify which scopes are allowed to be requested during login to the application.

  1. To assign scope, click Application management > Applications.
  2. Select the application you want to allow scopes for.
  3. Select the Scopes tab.
  4. Click Assign scope.
  5. Select the scope you want to allow. (For openid, you also need to select which element you allow.)
  6. Click Assign to finalize your choices.

Notice how the newly assigned scopes now appear on the Allowed scopes list.

Remove scopes from applications

You can remove predefined or custom scopes from your applications of protocol type OAuth 2.0/OIDC. When you remove a scope from an application, it cannot be requested during login anymore.

  1. Select the application from which you want to remove a scope.
  2. Select the Scopes tab.
  3. From the list of Allowed scopes, click Remove on the scope you want to remove.
  4. Confirm Remove scope.

Notice how the removed scope now disappears from the Allowed scopes list.

Last updated on