Using Trust Scopes
Trust scopes define how an OAuth client accesses resources. Trust scopes allow a trusted or confidential client application to acquire an access token that gives access to any of the resources within a domain (Account
), to other resources based on defined tags (Tags
), or to only those services where an explicit association between the client and the service (Explicit
) exists.
Note:
The option to define thetrustScope
parameter is available to only trusted and confidential client applications. The option isn't available to public client applications.
Note:
ThetrustScope
attributes of
Account,
Tags,
and
Explicit
are named
All (for
Account
),
Tagged (for
Tags
), and
Specific (for
Explicit
) in the Oracle Identity Cloud Service administrative console.
-
Use only the
urn:opc:resource:consumer::all
scope in the request. An invalid scope error is returned if you attempt to include both theurn:opc:resource:consumer::all
scope and another scope in the same request, such asurn:opc:idm:__myscopes__.
-
Requesting an access token using the
urn:opc:resource:consumer::all
scope doesn't return an access token that provides access to the Oracle Identity Cloud Service admin APIs. You must continue to use the scope:urn:opc:idm:__myscopes__
to access the admin APIs. See Scopes. -
The scope requested by the Client app should always exist and match, either directly or hierarchically, the client's defined allowed scopes to allow the client access to the resource.
-
The
trustScope
value ofExplicit
is assigned by default to trusted and confidential client applications and allows your client application to acquire an access token with permissions based on an explicit association between the client and target services. To use theAll
orTagged
option, you must update the client application with either thetrustScope
value ofAll
orTags.
- For identity propagation token requests using the
urn:opc:resource:consumer::all
scope, the resulting access token doesn't include theurn:opc:resource:consumer::all
scope.
The following links provide more information on each trustScope
available: