Mapping scope elements
Map custom scope elements to security checks to define application-specific security logic.
About this task
An OAuth scope is composed of zero or more scope elements, and each scope element is mapped to zero or more security checks (see OAuth scopes and security checks). You can define custom scope elements for your application, which map to any of the predefined or custom security checks that are available for the application.
- Access the same resource from multiple applications, and customize the authorization logic of each application by using different maps for the same scope elements of the protecting resource scope.
- Reuse the same mandatory scope for multiple applications, and customize the authorization logic of each application by using different maps of the contained scope elements. See Configuring a mandatory application scope.
- Dynamically change the application's authorization logic by changing the scope-element maps. For example, you can define an empty scope element, and remap it to a new security check when the check becomes available.
Procedure
- Using IBM MobileFirst™ Platform Operations
Console (the
console)
You can delete or edit a defined scope element by selecting the relevant action icon for this element in the application's scope-mapping table.
- Editing the application-descriptor file
You can edit this definition at any time, as needed. To remove all scope-element mapping for your application, create a new copy of the application-descriptor file, delete the scopeElementMapping object, and redeploy the descriptor file to the server.
Results
"ScopeElement": "[SecurityCheck1 SecurityCheck2 ...]"
For
example, the following code maps two scope elements:- The UserAuth scope element is mapped to a custom UserAuthentication security check
- The SSOUserValidation scope element is mapped to the predefined LtpaBasedSSO security check, and to a custom CredentialsValidation security check.
"scopeElementMapping": {
"UserAuth": "UserAuthentication",
"SSOUserValidation": "LtpaBasedSSO CredentialsValidation"
}