Overview#

OAuth Scopes (and OpenID Scopes) are Groups of one or more OAuth 2.0 Claims

OAuth 2.0#

Within OAuth 2.0 Authorization_endpoint and Token_endpoints allow the OAuth Client to specify the OAuth Scopes of the Authorization Request using the "scope" request parameter.

In turn, the Authorization Server uses the "scope" response parameter to inform the OAuth Client of the scope of the Access Token issued.

The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. The strings are defined by the Authorization Server.

If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.

scope       = scope-token *( SP scope-token )
scope-token = 1*( %x21 / %x23-5B / %x5D-7E )

Scopes Granted#

The Authorization Server MAY fully or partially ignore the OAuth Scopes requested by the OAuth Client in the Authorization Request, based on the Authorization Policy or the Resource Owner's instructions.

If the issued Access Token scope is different from the one requested by the OAuth Client, the Authorization Server MUST include the "scope" response parameter to inform the OAuth Client of the actual scope granted.

If the OAuth Client omits the scope parameter in the Authorization Request, the Authorization Server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope. The Authorization Server SHOULD document its scope requirements and default value (if defined).[1]

OAuth Scopes has a lot flexibility in case the person needs to self-approve the release of information from the Authorization Server to the OAuth Client. In OAuth 2.0, OAuth Scopes can be used for various purposes. For example OpenID Connect uses OAuth Scopes to "group" attributes.

For example, we could have a scope called "address" that includes the street, city, state, and country user claims.

There could be OAuth Scopes granted that are based on:

User-Managed Access#

With User-Managed Access. OAuth Scopes is defined as a bounded extent of access that is possible to perform on a Resource Set. In authorization policy terminology, a OAuth Scopes is one of the potentially many "verbs" that can logically apply to a Resource Set ("object"). User-Managed Access associates scopes with labeled Resource Sets. This term derives from Auth 2.0 Resource Set Registration.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-28) was last changed on 20-Jun-2017 20:57 by jim