On the Scope Constraints screen, optionally configure which scopes or scope groups that developers can request when registering clients using dynamic client registration.
This configuration is shared among all clients created through dynamic client registration. If a certain client requires a different set of common scopes or exclusive scopes (or both), modify the client configuration using the administrative console, the administrative API, or the OAuth Client Management Service after the client has been created. In addition, scopes can also be overridden by client registration policies enforced during dynamic client registration.
Restricting common scopes and allowing exclusive scopes are not mutually exclusive. You can configure both options based on your use cases.
Depending on the configured dynamic scope patterns and whether they are defined as common or exclusive dynamic scopes, this configuration can impact the results of scope evaluation. The default scope, however, is always allowed for and available to all clients. For detailed information, refer to the Dynamic scope evaluation and per-client scope management section in Scopes and scope management.
If you configure both options, developers must send client registrations with the desired common and exclusive scopes.