Map custom scope elements to security checks to define
application-specific security logic.
About this task
An OAuth scope is composed of zero or more scope elements,
and each scope element is mapped to zero or more security checks (see OAuth scopes and security checks). You can define
custom scope elements for your application, which map to any of the
predefined or custom security checks that are available for the application.
The
application scope mapping provides multiple advantages.
- Access the same resource from multiple applications, and customize
the authorization logic of each application by using different maps
for the same scope elements of the protecting resource scope.
- Reuse the same mandatory scope for multiple applications, and
customize the authorization logic of each application by using different
maps of the contained scope elements. See Configuring a mandatory application scope.
- Dynamically change the application's authorization logic by changing
the scope-element maps. For example, you can define an empty scope
element, and remap it to a new security check when the check becomes
available.
Results
After you successfully map one or more scope elements,
you can see your defined scope elements in the
Scope-Elements
Mapping table on the application
Security console
page. In addition, you can see the scope-mapping property definition
in the application descriptor: in the console, go to the application
Configuration
Files tab. In the
Application-Descriptor JSON
File section, you can see a copy of the application-descriptor
JSON file. Search for the
scopeElementMapping property
definition in this file. This definition object contains one or more
name/value data pairs of the following format:
"ScopeElement": "[SecurityCheck1 SecurityCheck2 ...]"
For
example, the following code maps two scope elements:
- The UserAuth scope element is mapped to a custom UserAuthentication security
check
- The SSOUserValidation scope element is mapped
to the predefined LtpaBasedSSO security check,
and to a custom CredentialsValidation security
check.
"scopeElementMapping": {
"UserAuth": "UserAuthentication",
"SSOUserValidation": "LtpaBasedSSO CredentialsValidation"
}