Configuring scope constraints
On the Scope Constraints tab, you can configure which scopes or scope groups that developers can request when registering clients using dynamic client registration.
About this task
All clients created through dynamic client registration share this configuration. If a certain client requires a different set of common scopes, exclusive scopes, or both, modify the client configuration using the administrative console, the administrative API, or the OAuth Client Management Service after the client has been created. Scopes can also be overridden by client registration policies enforced during dynamic client registration.
Steps
-
Go to System → OAuth Settings → Client Settings and click Scope Constraints.
-
To restrict clients created with the Dynamic Client Registration protocol to a subset of common scopes, select the Restrict Common Scopes check box and one or more applicable common scopes.
Result:
Your selections impact the developers in several ways:
-
If you do not select the Restrict Common Scopes check box, developers can send client registrations without including the desired scopes. If the requests are valid, the clients are configured with all the common scopes and scope groups.
-
If you select the Restrict Common Scopes check box without selecting at least one common scope or scope group, clients resulting from valid client registrations are configured without any common scopes or scope groups.
-
If you select the Restrict Common Scopes check box with one or more applicable common scopes or scope groups, developers must send client registrations with the desired common scopes and scope groups. Otherwise, clients resulting from otherwise valid requests are also configured without any common scopes or scope groups.
-
-
To allow clients created with the Dynamic Client Registration protocol to request for a subset of exclusive scopes, select one or more applicable exclusive scopes in the Allowed Exclusive Scopes field.
Result:
Your selections impact the developers in several ways:
-
If you do not select any exclusive scope, clients resulting from valid client registrations are configured without any exclusive scopes or scope groups.
-
If you select one or more applicable exclusive scopes or scope groups, developers must send client registrations with the desired exclusive scopes and scope groups. If they fail to do so, clients resulting from otherwise valid requests are also configured without any exclusive scopes or scope groups.
-
Result
Restricting common scopes and allowing exclusive scopes are not mutually exclusive. You can configure both options based on your use cases.
If you configure both options, developers must send client registrations with the desired common and exclusive scopes.
Depending on the configured dynamic scope patterns and whether they are defined as common or exclusive dynamic scopes, this configuration can impact the results of scope evaluation. The default scope is always available to all clients. For more information, see the include::ROOT:partial$pf_rc_exclusivedynamicscopeevaluation.adoc[tags=pf_ph_exclusiveDynamicScopeEvaluation] section in Scopes and scope management.