--- title: Configuring the OAuth Scope Authentication Selector description: The OAuth Scope Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found between the scopes of an OAuth authorization request and scopes configured in the PingFederate OAuth authorization server (AS). component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_config_oauth_scope_auth_selector canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_oauth_scope_auth_selector.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps result: Result related-links: Related links --- # Configuring the OAuth Scope Authentication Selector The OAuth Scope Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found between the scopes of an OAuth authorization request and scopes configured in the PingFederate OAuth authorization server (AS). ## Before you begin Go to **System > OAuth Settings > Authorization Server Settings** and configure one or more scopes. ## About this task This selector allows you to control the strength of authentication based on client access requirements. For example, if a client requires write access to a resource, you can deploy an instance of the OAuth Scope Authentication Selector in one or more authentication policies to choose an adapter that offers a stronger form of authentication, such as the X.509 client certificate, instead of username and password. ## Steps 1. Go to **Authentication > Policies > Selectors** to open the **Selectors** window. 2. On the **Selectors** window, click **Create New Instance** to start the **Create Authentication Selector Instance** workflow. 3. On the **Type** tab, configure the basics of this authentication selector instance. 4. On the **Authentication Selector** tab, select the required scopes, scope groups, or both. | | | | - | ------------------------------------------------------------- | | | Both common and exclusive scopes are available for selection. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | This selector matches only scopes from OAuth authorization requests to the authorization endpoint, `/as/authorization.oauth2`. SAML single sign-on (SSO) requests do not match this authentication selector's criteria and result in a returned result value of `No`. If you are using this selector and selectors specific to SAML connections, list this selector first in the mapping list so that it takes precedence for OAuth without disrupting selector logic on SAML connections. | 5. Complete the configuration. 1. On the **Summary** tab, click **Done**. 2. On the **Selectors** window, click **Save**. ## Result When you mark this selector instance as a checkpoint in an authentication policy, it forms two policy paths: **Yes** and **No**. If the requested scopes satisfy all the selected scopes, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of **Yes**. If the requested scopes do not satisfy all the selected scopes, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of **No**. ## Related links * [Scopes and scope management](pf_scopes_and_scope_management.html)