OAuth provides a mechanism to constrain the privileges associated with an access token, whereas scopes provide a way to more specifically define the privileges requested and granted. Generally, a client specifies the desired scopes when sending an authorization request to the authorization server. If the users (the resource owner) approves, the authorization server issues an access token with such scopes.

Scopes are configured globally using the OAuth Server > Scope Management configuration wizard. Once defined, the availability of scopes can be managed on a client-by-client basis.

Static scopes and dynamic scopes

As an authorization server, PingFederate supports the concepts of static scopes and dynamic scopes. A static scope is defined by using a text value; for example, read_bank_account. A dynamic scope is defined by using a text value with a variable component represented by a wildcard; for example, read_bank_account_txn:*. As illustrated, dynamic scopes address the business requirement where clients want to request authorization by using scope values with a variable component from one request to another.