Configuring scopes for a third-party OAuth provider

Access tokens contain authorization for specific scopes.

About this task

Client applications can request only the scopes or a subset of the scopes that you define here. The scopes are included in the access tokens that are generated from the provider. When an OAuth-protected API is called, the gateway checks the access token's scopes against the allowed scopes in the API's security definition to decide whether to grant access.

In addition, you can enforce advanced scope checks. The advanced scope check URLs are invoked after application authentication or after user authentication based on which URLs are configured. The access token grants the final scope permission based on the results of all scope checks.

One of the following roles is required to configure scopes for a third-party OAuth Provider:

  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings:Manage permissions

Procedure

When you create a third-party OAuth provider, you can add scopes immediately. For more information, see Configuring a third-party OAuth provider or you can update the scope settings for an existing third-party OAuth provider. The Advanced scope check after token generation option is not available during creating a third-party OAuth provider. To edit Scopes and enable the Advanced scope check after token generation settings for an existing third-party OAuth provider, complete the following steps:

  1. Click Resources icon Resources > OAuth Providers.
  2. Select the third-party OAuth provider that you want to edit the scope.
  3. Click Scopes in the sidebar menu. The currently configured scopes are listed. Review and update the scopes as required.
  4. To add new Scopes, complete the following steps:
    • Click Add.
    • Enter the Name and Description for new scope.
    • Click Save.
    • To delete existing scopes, click Delete icon Delete.
  5. To Implement an extra scope check at the API consumer level to ensure the compliance with the API's scope requirements, complete the following steps:
    • Select the Enabled checkbox to enable the advanced scope check after token validation.
    • Enter the Default validator endpoint.
    • Optional: Select the TLS client profile to use for an owner scope check. For more information about TLS client profile, See TLS profiles overview.
    • Select the Use endpoint from API checkbox to use the endpoint from the API. If you selected Use endpoint from API, the Default validator endpoint is optional.
    • If you want to enable basic authentication, select Enable security checkbox and fill the following parameters:
      Table 1.
      Field Description
      Mode Select Basic authentication.

      Optional: Basic authentication request header name

      A default header name is provided, which you can modify to meet your specific requirements.

      Optional: Basic authentication username and password

      Enter the username and password.

      Optional: Request headers and Response context variables

      Enter Request headers and Response context variables. Make sure that it is in Perl Compatible Regular Expressions format. For more information about PCRE format, see PCRE.
    • Click Save when done. For more information about scope, see Scope.

Results

Depending upon the visibility setting, the OAuth Provider with the specified scopes can be used to secure the APIs in catalog.