---
title: Adding OAuth scope rules
description: Add an OAuth scope rule to examine the contents of the PingFederate validation response and determine whether to grant access to a backend target site based on a match found between the scopes of the validation response and scope specified in the rule.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_adding_oauth_scope_rules
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_adding_oauth_scope_rules.html
revdate: February 6, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  choose-from: Choose from:
---

# Adding OAuth scope rules

Add an OAuth scope rule to examine the contents of the PingFederate validation response and determine whether to grant access to a backend target site based on a match found between the scopes of the validation response and scope specified in the rule.

## About this task

For example, a resource might require that the OAuth *(tooltip: \<div class="paragraph">
\<p>A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\</p>
\</div>)* access token *(tooltip: \<div class="paragraph">
\<p>A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources.\</p>
\</div>)* contain the scope `superuser`.

## Steps

1. Click **Access**, then go to **Rules > Rules**.

2. Click **[icon: plus, set=fa]Add Rule**.

3. In the **Name** field, enter a unique name, up to 64 characters long.

   Special characters and spaces are allowed.

4. From the **Type** list, select **OAuth Scope**.

5. From the **Scope** list, select the scope you want to match to values returned from the access token.

   |   |                                                                                      |
   | - | ------------------------------------------------------------------------------------ |
   |   | This is one scope requirement in the set of scopes associated with the access token. |

6. Select **Negate** if, when a match is found, access is not allowed.

7. To configure rejection handling, click **Show Advanced Settings**, then select a rejection handling method.

   ### Choose from:

   * If you select **Default**, use the **Rejection Handler** list to select an existing [rejection handler](pa_rejection_handlers.html) that defines whether to display an error template or redirect to a URL.

   * If you select **Basic**, you can customize an error message to display as part of the default error page rendered in the end user's browser if rule evaluation fails. This page is among the templates you can modify with your own branding or other information. If you select **Basic**, provide the following:

     1. In the **Error Response Code** field, enter the HTTP status response code to send if rule evaluation fails.

        The default is `403`.

     2. In the **Error Response Status Message** field, enter the HTTP status response message to send if rule evaluation fails.

        The default is `Forbidden`.

     3. In the **Error Response Template File** field, enter the HTML template page for customizing the error message that displays if rule evaluation fails. This template file is located in the `<PA_HOME>/conf/template/` directory.

     4. From the **Error Response Content Type** list, select the type of content for the error response.

        This lets the client properly display the response.

8. Click **Save**.