Overview#

We use Privileged Scope when there is an additional OAuth Scopes granted by Authorization Server which was NOT requested by the OAuth Client

The Privileged Scope may be granted based on the:

• context of the OAuth Client
• context of the Resource Owner
• Authorization Policy

Privileged Scope Example#

An application may have some Resources that are publicly available for any Authenticated Resource Owner that is also a customer.

When the Resource Owner is utilizing Social Login the Authorization Server may determine this user is also a Customer. The Authorization Policy says that any Customer may be granted the "read_premium" OAuth Scope. So the Authorization Server would grant the Privileged Scope "read_premium".

Multi-Factor Authentication Example#

The acr implies how the Authentication Method used. The Authorization Server could grant some "elevated" OAuth Scopes based on the Authorization Policy and the Multi-Factor Authentication used.

More Information#

There might be more information for this subject on one of the following:

• Implicit Scopes
• OAuth Scopes