In addition to OAuth, PIngFederate supports the use of scopes to constrain and define access privileges.
OAuth provides a mechanism to constrain the privileges associated with an access token, whereas scopes provide a way to more specifically define the privileges requested and granted. Generally, a client specifies the desired scopes when sending an authorization request to the authorization server. If the user approves, the authorization server issues an access token with these scopes.
Scopes are configured globally using theconfiguration wizard. Once defined, you can manage the availability of scopes on a client-by-client basis.
Static scopes and dynamic scopes
As an authorization server, PingFederate supports
the concepts of static scopes and dynamic scopes. To define a static scope, use a text
value such as
read_bank_account. To define a dynamic scope, use a text
value with a variable component represented by a wildcard, such as
read_bank_account_txn:*. As illustrated, dynamic scopes allow clients
to request authorization using scope values with a variable component from one request to