Skip to main content

Scopes

Scopes are OAuth standard defined mechanisms that allow an application to request limited, granular access to users' data. A client application can request one or more allowed scopes. The scope information is then added in the claim scope of the access token issued to the client application. Please note, in ID Cloud the consent is always implicitly given, as there is no user-consent screen.

Identity Cloud supports predefined scopes and custom scopes. Predefined scopes include offline_access and openid while custom scopes can be used by any of your applications that need access to particular sets of user data.

Predefined scopes

Currently there are two predefined scopes:

  • offline_access and
  • openid with its constituent address, email, phone and profile scope values.

When you use the offline_access scope, a refresh token is issued and added to the response: See OpenID Connect Core 1.0 on Offline Access.

When you request address, email, phone or profile scopes, using the issued access token to call the userinfo endpoint adds additional user information corresponding to the requested scopes to the response. See OpenID Connect Core 1.0 on Requesting Claims using Scope Values.

Custom scopes

The custom scopes need to match verbatim the custom scopes used by your applications.

Defining Custom scopes

  1. To add a new custom scope definition, click Application management > Custom scopes > Create scope.
  2. Define your custom scope with a name that exactly matches the OAuth scope that your application uses. This is the value that will be passed on to your application.
  3. Add a brief description to clearly identify the scope.
  4. Click create and wait until the process completes.
Create custom scope

Editing Custom scopes

  1. To edit an existing custom scope definition, click Application management > Custom scopes, and Edit next to the scope you want to modify.
  2. Edit the name or the description.
  3. Click create and wait until the process completes.

Deleting Custom scopes

  1. To delete a custom scope, click Application management > Custom scopes.
  2. Click Delete next to the custom scope you want to remove.
  3. Add a brief description to clearly identify the scope.
  4. Click create and wait until the process completes.
Delete custom scope

Assigning scopes to an application

By assigning scopes to applications you can specify what data the application has access to.

  1. To assign scope, click Application management > Applications.
  2. Select the application you want to allow scopes for.
  3. Select the Scopes tab.
  4. Click Assign scope.
  5. Select the scope you want to allow. (For openid, you also need to select which element you allow.)
  6. Click Assign to finalize your choices.
  7. Wait until the process completes.

Notice how the newly assigned scopes now appears on the Allowed scopes list.

Removing a scope from an application

  1. Select the application from which you want to remove a scope.
  2. Select the Scopes tab.
  3. From the list of Allowed scopes, click Unassign on the scope you want to remove.
  4. Confirm Unassign and wait for the process to finish.

Notice how the unassigned scope now disappears from the Allowed scopes list.