PingFederate Server

Returning scopes in authorization transactions

You can configure PingFederate to always return the OAuth scope parameter in the response to authorization code requests and client credential requests. You can enable always returning scopes for one request type or both.

By default, PingFederate only returns scopes if the requested scopes and the approved scopes approved by the user are not the same. For example, if the client requests scopeA and scopeB, and the user only approved scopeB, the list of scopes returned in the response will contain scopeB.

Learn more in Grant types.

It’s useful to always return scopes if clients require scopes that users haven’t authorized. But to improve security, you should reconfigure clients to require only authorized scopes where possible.

Steps

  1. Open the <pingfed-install>/pingfederate/server/default/data/config-store/oauth-scope-settings.xml file.

  2. Change the value of always-return-scope-for-authz-code or always-return-scope-for-client-credentials parameters to true.

  3. Save and close the file.

  4. If you’re running PingFederate in a clustered environment, replicate the new configuration to other nodes. Learn more in Replicating configurations.

Admin API

You can also use the Admin API to change the configuration for always returning scopes in responses to authorization code requests and client credential requests.

If you want to enable always returning scopes for the client credential grant type, you would use the following PUT request:

curl -X 'PUT' \
'https://localhost:9999/pf-admin-api/v1/configStore/oauth-scope-settings/always-return-scope-for-client-credentials' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'X-XSRF-Header: PingFederate' \
  -d '{
  "id": "always-return-scope-for-client-credentials",
  "stringValue": "true",
  "type": "STRING"
}'

If you want to enable always returning scopes for the authorization code grant type, you would use the following PUT request:

curl -X 'PUT' \
'https://localhost:9999/pf-admin-api/v1/configStore/oauth-scope-settings/always-return-scope-for-authz-code' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'X-XSRF-Header: PingFederate' \
  -d '{
  "id": "always-return-scope-for-authz-code",
  "stringValue": "true",
  "type": "STRING"
}'