Using Trust Scopes

Trust scopes define how an OAuth client accesses resources. Trust scopes allow a trusted or confidential client application to acquire an access token that gives access to any of the resources within a domain (Account), to other resources based on defined tags (Tags), or to only those services where an explicit association between the client and the service (Explicit) exists.


The option to define the trustScope parameter is available to only trusted and confidential client applications. The option isn't available to public client applications.
There are a few items to keep in mind when using a trust scope:


The trustScope attributes of Account, Tags, and Explicit are named All (for Account), Tagged (for Tags), and Specific (for Explicit) in the Oracle Identity Cloud Service administrative console.
  • Use only the urn:opc:resource:consumer::all scope in the request. An invalid scope error is returned if you attempt to include both the urn:opc:resource:consumer::all scope and another scope in the same request, such as urn:opc:idm:__myscopes__.

  • Requesting an access token using the urn:opc:resource:consumer::all scope doesn't return an access token that provides access to the Oracle Identity Cloud Service admin APIs. You must continue to use the scope: urn:opc:idm:__myscopes__ to access the admin APIs. See Scopes.

  • The scope requested by the Client app should always exist and match, either directly or hierarchically, the client's defined allowed scopes to allow the client access to the resource.

  • The trustScope value of Explicit is assigned by default to trusted and confidential client applications and allows your client application to acquire an access token with permissions based on an explicit association between the client and target services. To use the All or Tagged option, you must update the client application with either the trustScope value of All or Tags.

  • For identity propagation token requests using the urn:opc:resource:consumer::all scope, the resulting access token doesn't include the urn:opc:resource:consumer::all scope.

The following links provide more information on each trustScope available: