--- title: Configuring scope constraints description: On the Scope Constraints tab, you can configure which scopes or scope groups that developers can request when registering clients using dynamic client registration. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_clientsettingstasklet_oauthdynamicclientregistrationscopeconstraintsstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_clientsettingstasklet_oauthdynamicclientregistrationscopeconstraintsstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: June 10, 2024 section_ids: about-this-task: About this task steps: Steps result: Result: result-2: Result: result-3: Result related-links: Related links --- # Configuring scope constraints On the **Scope Constraints** tab, you can configure which scopes or scope groups that developers can request when registering clients using dynamic client registration. ## About this task All clients created through dynamic client registration share this configuration. If a certain client requires a different set of common scopes, exclusive scopes, or both, modify the client configuration using the administrative console, the administrative API, or the OAuth Client Management Service after the client has been created. Scopes can also be overridden by client registration policies enforced during dynamic client registration. ## Steps 1. Go to **System > OAuth Settings > Client Settings** and click **Scope Constraints**. 2. To restrict clients created with the Dynamic Client Registration protocol to a subset of common scopes, select the **Restrict Common Scopes** checkbox, and click the **Selected** link. 3. In the **Scopes Selection** modal, add scopes from the **Available Scopes** column to the **Selected Scopes** column by dragging or clicking the **add** icon. 4. Click **Done**. ### Result: Your selections impact the developers in several ways: * If you do not select the **Restrict Common Scopes** checkbox, developers can send client registrations without including the desired scopes. If the requests are valid, the clients are configured with all the common scopes and scope groups. * If you select the **Restrict Common Scopes** checkbox without selecting at least one common scope or scope group, clients resulting from valid client registrations are configured without any common scopes or scope groups. * If you select the **Restrict Common Scopes** checkbox with one or more applicable common scopes or scope groups, developers must send client registrations with the desired common scopes and scope groups. Otherwise, clients resulting from otherwise valid requests are also configured without any common scopes or scope groups. 5. To allow clients created with the Dynamic Client Registration protocol to request for a subset of exclusive scopes, select one or more applicable exclusive scopes. 1. Click the **Selected** link for **Allowed Exclusive Scopes**. 2. In the **Scopes Selection** modal, add scopes from the **Available Scopes** column to the **Selected Scopes** column by dragging or clicking the **add** icon. 3. Click **Done**. ### Result: Your selections impact the developers in several ways: * If you do not select any exclusive scope, clients resulting from valid client registrations are configured without any exclusive scopes or scope groups. * If you select one or more applicable exclusive scopes or scope groups, developers must send client registrations with the desired exclusive scopes and scope groups. If they fail to do so, clients resulting from otherwise valid requests are also configured without any exclusive scopes or scope groups. ## Result Restricting common scopes and allowing exclusive scopes are not mutually exclusive. You can configure both options based on your use cases. If you configure both options, developers must send client registrations with the desired common and exclusive scopes. Depending on the configured dynamic scope patterns and whether they are defined as common or exclusive dynamic scopes, this configuration can impact the results of scope evaluation. The default scope is always available to all clients. Learn more in the **Dynamic scope evaluation** and **Per-client scope management** sections in [Scopes and scope management](pf_scopes_and_scope_management.html). ## Related links * [Managing OAuth clients](help_oauthclientsmanagementtasklet_oauthclientsmanagementstate.html) * [PingFederate administrative API](../developers_reference_guide/pf_admin_api.html) * [OAuth Client Management Service](../developers_reference_guide/pf_oauth_client_manage_service.html)