OAuth provides a mechanism to constrain the privileges associated with an access token, whereas scopes provide a way to more specifically define the privileges requested and granted. Generally, a client specifies the desired scopes when sending an authorization request to the authorization server. If the user approves, the authorization server issues an access token with these scopes.

Scopes are configured globally using the System > OAuth Settings > Scope Management configuration wizard. Once defined, you can manage the availability of scopes on a client-by-client basis.

Static scopes and dynamic scopes

As an authorization server, PingFederate supports the concepts of static scopes and dynamic scopes. To define a static scope, use a text value such as read_bank_account. To define a dynamic scope, use a text value with a variable component represented by a wildcard, such as read_bank_account_txn:*. As illustrated, dynamic scopes allow clients to request authorization using scope values with a variable component from one request to another.