Managing custom OAuth 2.0 scopes

Use these procedures to create and manage custom OAuth 2.0 scopes for non-Infor API suites in API Gateway. These tasks include creating scopes, associating scopes with API Suites, assigning scopes to authorized applications, enabling enforcement, and deleting scopes.

Creating a custom scope

Create a custom scope to define a permission boundary for non-Infor API access.

In the API Gateway menu, select Configuration > OAuth 2.0 Custom Scopes.
Click + Add and specify this information:
1. Name: Enter a unique name using only English characters. The maximum length is 50 characters. The name must not start with infor- and cannot be openid.
2. Description (optional): Add a description to explain the scope's purpose. Descriptions support global characters and can contain up to 500 characters.
Click Save.

The new scope appears as a tile in the custom scopes list. You can search and sort scopes to find them quickly.

Associating a custom scope with an API Suite

Associating a scope with an API Suite defines which APIs the scope grants access to.

In the custom scopes list, click the name of the scope that you want to associate.
Scroll to the API Suites tab at the bottom of the scope details page.
Click Add.
In the search bar, type the name of the API Suite. Matching results appear in a selection list.
Select one or more suites and click Associate.

The system saves changes automatically. Associated suites appear under the API Suites tab, and the scope appears on each suite's details page for cross-reference.

Associating a custom scope with an authorized application

Associating a custom scope with an authorized application requires enabling the scopes toggle, assigning the scope, and verifying the assignment.

Enable the scopes toggle.
1. In the IONAPI Admin UI, select Configuration > OAuth 2.0 Settings.
2. Turn on Enable Scopes per authorized app.
This activates the scope selection list for all authorized applications. You only need to do this once.
Note:
If the scope selection list does not appear on the Authorized Apps page, verify that this toggle is enabled.
Assign the scope.
1. Navigate to the Authorized Apps page and locate the application.
2. In the Scope selection list, type the scope name. Matching scopes appear as you type.
3. Select the scope to complete the association.
Verify the assignment.
1. Download the application's credentials file.
2. Check the scopes list in the credentials. The custom scope must be included.

The association also appears under the Authorized App tab on the scope's details page.

Enabling scope enforcement on an authorized application

After you assign scopes to an authorized application, enable enforcement for the gateway to validate those scopes at runtime.

Navigate to the Authorized Apps page and open the application's details page.
Locate the Enforce Scopes toggle on the application's details page.
Turn on Enforce Scopes.

After enforcement is enabled, the gateway validates the application's token scopes against the target API Suite's associated scopes on every request.

Note:

When the Enforce Scopes toggle is disabled, the gateway does not enforce scopes for tokens obtained by using that authorized application's credentials. All requests are allowed through regardless of scope configuration.

After you enable the toggle, the gateway validates the token's scopes on every request. Ensure scopes are assigned to the application and included in token requests before you enable enforcement.

Deleting a custom scope

Delete a custom scope only after you remove all API Suite and authorized application associations.

Open the scope and verify that it is not linked to any API Suite or authorized application.
If associations exist, remove the associations.
Return to the custom scopes list and locate the scope tile.
Hover over the tile to display the delete option.
Click Delete and confirm the action.

Note:

If the scope selection list does not appear on the Authorized Apps page, verify that this toggle is enabled.