Skip to content

Admin UI: Scopes

Arnab Dutta edited this page Oct 6, 2022 · 4 revisions

Overview

Please read the following docs to get more information about different scopes.

Spontaneous scope

Spontaneous Scopes are READ ONLY. They should show up in search results; admins can view a spontaneous scope. But admins cannot create a spontaneous scope. Creation only happens when an authorized client presents a spontaneous scope at the token endpoint.

In Admin UI

  • Spontaneous Scopes can not be created by admin.
  • Admin can only view the created spontaneous scopes.
  • To make an OIDC client capable of creating spontaneous scope set allowSpontaneousScopes to true and add regular expressions matching with scope in the spontaneousScopes field in the database.
"allowSpontaneousScopes": true,
"spontaneousScopes": ["^transaction:.+$"]

image

  • Then present the scopes (eg: transaction:245, transaction:8645) before authorization_url
https://example.gluu.org/oxauth/restv1/authorize?response_type=code&scope=openid+profile+transaction%3A245+transaction%3A8645&client_id=c8592b26-8984-484d-8aba-9f475be73af0&redirect_uri=https%3A%2F%2Fexample.gluu.org%2Foxauth-rp%2Fhome.htm&state=2dccaf64-c0b9-4c35-8008-f754ad964c3b&nonce=9cf5c813-578b-44e5-a353-b7446c1b9358

image

  • For spontaneous scope AS always sets creatorTyp=client and sets creatorId=clent_id.

UMA scope

  • We can only create UMA scope using admin-ui but not able to edit it.
  • UMA scope can be created by humans or by AS.
  • If AS has auto-create allowed for UMA scope then it will have creatorTyp=auto and empty creatorId. auto means AS created it.
  • When UMA scope is created using tui/admin-ui (human) then creatorType will be USER (like Admin) and creatorId will be logged in USER INUM. image
Clone this wiki locally