Scope configuration with flows
17.7.1.4. AS-centric AS - Scope configuration with flows

Configuration of Scope Flow Settings

  • 1.
    Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> {{AS-Id}} >> OAuth 2.0 Grants/OIDC Flows >> OAuth 2.0 Grants/OIDC Flows
  • 2.
    Go to:
    OAuth 2.0 Authorization Code Grant OR OIDC Authorization Code Flow
  • 3.
    Go to:
    Section Flow Settings
  • 4.
    Create and edit an OAuth 2.0 Custom Scopes Flow Settings plugin in the Scope Flow Settings property.
  • 5.
    Optionally create Flow Condition Based OAuth 2.0 Scope Condition plugins as required.
  • 6.
    Optionally create Role Based OAuth 2.0 Scope Condition plugins as required.
  • The AS will be able to locally determine which of the requested scops may be added to the resulting tokens.

In step 4 of the above list, it is possible to configure an OAuth 2.0 Defaults Scopes Flow Settings plugin, if scopes should be derived from roles only.

The following example demonstrates how the OAuth 2.0 Custom Scopes Flow Settings plugin can be used to achieve the same effect.

  • Example of using OAuth 2.0 Custom Scopes Flow Settings with scopes derived from user roles
  • 1.
    Create and edit a Role Based OAuth 2.0 Scope Condition plugin
  • 2.
    Configure the Scope Matcher property as follows:
    • Create and edit an OAuth 2.0 Scope Matcher plugin.
    • Configure the Scope Name Pattern as ".*"
  • 3.
    Configure the Role Provider property as follows:
    • Add an All User Roles plugin to the Role Provider list.
  • The Scope Matcher ensures that all requested scopes are tested against the roles retrieved by the Role Provider. If a pair of requested scope and provided role, is identical then they are added to the tokens.
  • Example of using OAuth 2.0 Custom Scopes Flow Settings to accept all requested scopes
  • 1.
    Create and edit a Flow Condition Based OAuth 2.0 Scope Condition plugin
  • 2.
    Configure the Scope Matcher property as follows:
    • Create and edit an OAuth 2.0 Scope Matcher plugin.
    • Configure the Scope Name Pattern as ".*"
  • 3.
    Configure Role Condition property as follows:
    • Add the Always Selectable plugin to the Role Provider list.
  • The Scope Matcher ensures that all requested scopes are tested and the Always Selectable condition ensures that all scopes are accepted.