Learn how to configure and customize OAuth protection for
your resources.
- Protected resources
- In the OAuth model, a protected resource is a resource that requires
an access token. You can use the MobileFirst security
framework to protect both resources that are hosted on an instance
of MobileFirst Server,
and resources on an external server. You protect a resource by assigning
it a scope that defines the required permissions for acquiring an
access token for the resource. See Overview of the MobileFirst security framework.
Mobile-application access to protected resources is restricted also
by the mandatory application scope.
MobileFirst adapter
resources are protected by default, meaning that an access token is
required to access such resources even when no scope is explicitly
assigned to the resource. You can disable the default resource protection.
The
resource scope can contain custom scope elements that are mapped to
security checks at the application level.Note: An empty scope is also
a valid scope, and requires an access token.
- Unprotected resources
- An unprotected resource is a resource that does not require an
access token. The MobileFirst security
framework does not manage access to unprotected resources, and does
not validate or check the identity of clients that access these resources. Therefore, features such as Direct Update, blocking
device access, or remotely disabling an application, are not supported
for unprotected resources. See Updating Cordova client apps directly and Mobile-application management.
Configuring
resource protection