Configuring OAuth 2.0 scopes

Configure OAuth 2.0 scopes to control access to API Suites in API Gateway.

Scope configuration requires three elements:

  • Assign scopes to the authorized application
  • Request the required scopes in the token request and ensure that they are granted
  • Enable scope enforcement

After changing scope assignments or associations, request a new access token. Existing tokens do not reflect updated configuration.

For conceptual information about scope behavior, enforcement logic, and token handling, see OAuth 2.0 scopes in API Gateway.

For information about creating and managing custom scopes, see Managing custom OAuth 2.0 scopes.

For additional examples, see KB3537918.

Complete the prerequisite setup once per tenant. Then configure backend or front-end applications.

Completing prerequisite setup

Complete these steps once per tenant.

  1. Navigate to Configuration > OAuth 2.0 Settings in the API Gateway admin UI.
  2. Turn on Enable Scopes per authorized app.

    This setting enables the scope selection list for authorized applications. If the scope selection list does not appear on the Authorized Apps page, verify that this setting is enabled.

  3. Navigate to the Authorized Apps page.
  4. Select an application.
  5. Specify a scope name in the scope selection list and select the matching scope.

    Matching scopes appear as you specify text.

  6. Repeat for each required scope.
  7. Verify that all required scopes are assigned.

    Standard Infor scopes appear only if the corresponding API Suite is available in Available APIs.

Configuring backend service applications

Backend service applications use service accounts to obtain tokens. Assign the same scopes to the service account and the authorized application.

  1. Navigate to Infor OS Security (IFS) > Service Accounts.
  2. Select the service account.
  3. Add the same scopes that are assigned to the authorized application.
  4. Repeat for each service account used by the application.

    For ION, all service accounts used by the application must include the required scopes.

  5. Open the application on the Authorized Apps page.
  6. Turn on Enforce Scopes.

    Enable this setting only after scopes are correctly assigned. If required scopes are missing from the token, requests to scope-protected API Suites are rejected.

  7. Specify the required scopes in the token request as a space-delimited list in the scope parameter.

    Scope names are case-sensitive and must match assigned scopes exactly.

  8. Request a new access token.
  9. Verify that the token includes the expected scopes.
  10. Call a scope-protected API Suite and verify that the request succeeds.

Configuring front-end applications

Front-end applications request scopes during the authorization flow. Users approve scopes in the consent prompt. Only requested and approved scopes are included in the token.

  1. Specify the required scopes in the authorization request as a space-delimited list in the scope parameter.

    Example: scope=inventory-access pricing-access

  2. Initiate the authorization flow.
  3. Approve the requested scopes.

    Scopes that are not approved are not included in the token.

  4. Open the application on the Authorized Apps page.
  5. Turn on Enforce Scopes.

    Ensure that the application requests all required scopes before enabling this setting.

  6. Complete the authorization flow.
  7. Verify that the token includes the expected scopes.
  8. Call a scope-protected API Suite and verify that the request succeeds.

Verifying scope configuration

Verify scope configuration by inspecting assigned scopes and issued tokens.

  1. Download the credentials file from the Authorized Apps page.
  2. Review the scopes listed in the credentials file.
  3. Request a new access token.
  4. Inspect the scope field in the token response.
  5. Call a scope-protected API Suite.
  6. If the request fails, verify scope assignments, request parameters, scope casing, and that a new token was obtained after configuration changes.