Configure OAuth 2.0 scopes
Configure OAuth 2.0 scopes to control access to API suites in API Gateway.
Scope configuration requires three elements:
- Assign scopes to the authorized application
- Include the required scopes in the token request and ensure that they are granted
- Enable scope enforcement
After changing scope assignments or associations, you must request a new access token. Existing tokens do not reflect the updated configuration.
For conceptual information about scope behavior, enforcement logic, and token handling, see OAuth 2.0 scopes in API Gateway.
For information about creating and managing custom scopes, see Manage custom OAuth 2.0 scopes.
For additional examples, see KB3537918 in the Infor Knowledge Base.
Complete the prerequisite setup once per tenant. Then configure back-end or front-end applications.
Completing prerequisite setup
Complete these steps once per tenant.
Configuring back-end service applications
Back-end service applications use service accounts to obtain tokens. Assign the same scopes to the service account and the authorized application.
Configuring front-end applications
Front-end applications request scopes during the authorization flow. Users approve scopes in the consent prompt. Only requested and approved scopes are included in the token.
Verifying scope configuration
Verify scope configuration by inspecting assigned scopes and issued tokens.
- Download the credentials file from the Authorized Apps page.
- Review the scopes listed in the credentials file.
- Request a new access token.
- Inspect the
scopefield in the token response. - Call a scope-protected API suite.
- If the request fails, verify scope assignments, request parameters, and scope casing., Also verify that a new token was obtained after your configuration changes.