OAuth provides a mechanism to constrain the privileges associated with an access token, whereas scopes provide a way to more specifically define the privileges requested and granted. Generally, a client specifies the desired scopes when sending an authorization request to the authorization server. If the users (the resource owner) approves, the authorization server issues an access token with such scopes.
Scopes are configured globally using theconfiguration wizard. Once defined, the availability of scopes can be managed on a client-by-client basis.
Static scopes and dynamic scopes
As an authorization server, PingFederate
supports the concepts of static scopes and dynamic scopes. A static scope is defined by
using a text value; for example,
read_bank_account. A dynamic scope is
defined by using a text value with a variable component represented by a wildcard; for
read_bank_account_txn:*. As illustrated, dynamic scopes address
the business requirement where clients want to request authorization by using scope values
with a variable component from one request to another.