On the Scope Constraints screen, optionally configure which scopes or scope groups that developers can request when registering clients using dynamic client registration.

Note:

This configuration is shared among all clients created through dynamic client registration. If a certain client requires a different set of common scopes or exclusive scopes (or both), modify the client configuration using the administrative console, the administrative API, or the OAuth Client Management Service after the client has been created. In addition, scopes can also be overridden by client registration policies enforced during dynamic client registration.

  1. Go to the OAuth Server > Client Settings > Scope Constraints screen.
  2. If you want to restrict clients created via the Dynamic Client Registration protocol to a subset of common scopes, select the Restrict Common Scopes check box and one or more applicable common scopes.

    Note that your selections impact the developers in several ways:

    • If you do not select the Restrict Common Scopes check box, developers can send client registrations without including the desired scopes. Providing the requests are valid, the clients are configured with all the common scopes and scope groups.
    • If you select the Restrict Common Scopes check box without selecting at least one common scope or scope group, clients resulting from valid client registrations are configured without any common scopes or scope groups.
    • If you select the Restrict Common Scopes check box with one or more applicable common scopes or scope groups, developers must send client registrations with the desired common scopes and scope groups. If they fail to do so, clients resulting from otherwise valid requests are also configured without any common scopes or scope groups.
  3. If you want to allow clients created via the Dynamic Client Registration protocol to request for a subset of exclusive scopes, select the one or more applicable exclusive scopes in the Allowed Exclusive Scopes setting.

    Note that your selections impact the developers in several ways:

    • If you do not select any exclusive scope, clients resulting from valid client registrations are configured without any exclusive scopes or scope groups.
    • If you select one or more applicable exclusive scopes or scope groups developers must send client registrations with the desired exclusive scopes and scope groups. If they fail to do so, clients resulting from otherwise valid requests are also configured without any exclusive scopes or scope groups.

Restricting common scopes and allowing exclusive scopes are not mutually exclusive. You can configure both options based on your use cases.

Depending on the configured dynamic scope patterns and whether they are defined as common or exclusive dynamic scopes, this configuration can impact the results of scope evaluation. The default scope, however, is always allowed for and available to all clients. For detailed information, refer to the Dynamic scope evaluation and per-client scope management section in Scopes and scope management.

If you configure both options, developers must send client registrations with the desired common and exclusive scopes.