Mapping scope elements

Map custom scope elements to security checks to define application-specific security logic.

About this task

An OAuth scope is composed of zero or more scope elements, and each scope element is mapped to zero or more security checks (see OAuth scopes and security checks). You can define custom scope elements for your application, which map to any of the predefined or custom security checks that are available for the application.

The application scope mapping provides multiple advantages.
  • Access the same resource from multiple applications, and customize the authorization logic of each application by using different maps for the same scope elements of the protecting resource scope.
  • Reuse the same mandatory scope for multiple applications, and customize the authorization logic of each application by using different maps of the contained scope elements. See Configuring a mandatory application scope.
  • Dynamically change the application's authorization logic by changing the scope-element maps. For example, you can define an empty scope element, and remap it to a new security check when the check becomes available.

Procedure

Map scope elements to security checks by using one of the following alternative methods:

Results

After you successfully map one or more scope elements, you can see your defined scope elements in the Scope-Elements Mapping table on the application Security console page. In addition, you can see the scope-mapping property definition in the application descriptor: in the console, go to the application Configuration Files tab. In the Application-Descriptor JSON File section, you can see a copy of the application-descriptor JSON file. Search for the scopeElementMapping property definition in this file. This definition object contains one or more name/value data pairs of the following format:
"ScopeElement": "[SecurityCheck1 SecurityCheck2 ...]"
For example, the following code maps two scope elements:
  1. The UserAuth scope element is mapped to a custom UserAuthentication security check
  2. The SSOUserValidation scope element is mapped to the predefined LtpaBasedSSO security check, and to a custom CredentialsValidation security check.
"scopeElementMapping": {
    "UserAuth": "UserAuthentication",
    "SSOUserValidation": "LtpaBasedSSO CredentialsValidation"
}