Access tokens contain authorization for specific scopes.
About this task
Client applications can request only the scopes or a subset of the scopes that you define here.
The scopes are included in the access tokens that are generated from the provider. When an
OAuth-protected API is called, the gateway checks the access token's scopes against the allowed
scopes in the API's security definition to decide whether to grant access.
In addition, you can enforce advanced scope checks. The advanced scope check URLs are invoked
after application authentication or after user authentication based on which URLs are configured.
The access token grants the final scope permission based on the results of all scope checks.
One of the following roles is required to configure scopes for a third-party OAuth Provider:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings:Manage permissions
Procedure
When you create a third-party OAuth provider, you can add scopes immediately. For more
information, see Configuring a third-party OAuth provider or you can update the scope settings
for an existing third-party OAuth provider. The Advanced scope check after token
generation option is not available during creating a third-party OAuth provider. To edit
Scopes and enable the Advanced scope check after token
generation settings for an existing third-party OAuth provider, complete the following
steps:
- Click .
- Select the third-party OAuth provider that you want to edit the scope.
- Click Scopes in the sidebar menu. The currently configured scopes
are listed. Review and update the scopes as required.
- To add new Scopes, complete the following steps:
- Click Add.
- Enter the Name and Description for new scope.
- Click Save.
- To delete existing scopes, click
Delete.
- To Implement an extra scope check at the API consumer level to ensure the compliance with
the API's scope requirements, complete the following steps:
- Select the Enabled checkbox to enable the advanced scope check after
token validation.
- Enter the Default validator endpoint.
- Optional: Select the TLS client profile to
use for an owner scope check. For more information about TLS client profile, See TLS profiles overview.
- Select the Use endpoint from API checkbox to use the endpoint from the
API. If you selected Use endpoint from API, the Default validator
endpoint is optional.
- If you want to enable basic authentication, select Enable security
checkbox and fill the following parameters:
Table 1.
Field |
Description |
Mode |
Select Basic authentication. |
Optional: Basic authentication request header name
|
A default header name is provided, which you can modify to meet your specific
requirements. |
Optional: Basic authentication username and password
|
Enter the username and password. |
Optional: Request headers and Response context variables
|
Enter Request headers and Response context
variables. Make sure that it is in Perl Compatible Regular Expressions
format. For more information about PCRE format, see PCRE. |
- Click Save when done. For more information about scope, see Scope.
Results
Depending upon the visibility setting, the OAuth Provider with the specified scopes can be
used to secure the APIs in catalog.