Using the onBehalfOf Allowed Operation

The onBehalfOf allowed operation provides a way to ensure that access privileges can be generated from the user's privileges alone, so that a client application can access endpoints to which the user has access, even if the client application by itself would not normally have access.

When an authorized client application implements functionality that requires it to access Identity Cloud Service endpoints, that client is granted the necessary privileges to do so. A web application client, on the other hand, implements functionality that requires the client application to access endpoints using the privileges and scopes acquired from the logged-in user. With Identity Cloud Service's default authorization behavior, that client must still have the full set of privileges required to access those endpoints without regard to the privileges granted to the user. The onBehalfOf allowed operation provides an administrator a way to indicate that the user's privileges alone should be used rather than an intersection of the user's scopes (if a user is present) and the client's scopes.

Public or CLI applications have very limited privileges or no privileges to access endpoints. These types of clients rely on the user who is accessing the application to drive what rights the application has. When a user is accessing a public application, if the user was issued an access token that is constructed from the user's privileges alone, that user would be able to access the endpoints as long as the user is authorized.

The onBehalfOf allowed operation enables you to generate such an access token for the OAuth Client application. When computing the Identity Cloud Service-specific scopes (scopes that begin with "urn:opc:idm:") to set in the access token, Identity Cloud Service ignores the client's privileges and uses a scope equal to or less than the scope originally granted to the authorized user. So, only the user's privileges (admin roles, groups, and so on) in conjunction with the requested scopes are used to determine access. If the requested scope "urn:opc:idm:_myscopes_" is used, then all scopes that are granted to the user are returned.

Enabling the onBehalfOf Allowed Operation

Use the Identity Cloud Service REST APIs to create or update an OAuth application, and specify onBehalfOfUser as an allowed operation. When you create an OAuth application using the Identity Cloud Service UI, on the Authorization page, select the check box for the On behalf Of allowed operation. When users access the application, they can perform various functions based on their permissions.

Note: The current OAuth scope model in Identity Cloud Service versions 16.3.6 and 16.4.4 performs an intersection of the user's scopes (if present) and the client's scopes during the creation of the access token. The combined privileges of the user and client can't be more than either of the entities, and is in fact, limited to what both the entities already possess. The Administrator must grant the users the same admin role as the app.


The example shows how to create an application and specify the onBehalfOfUser allowed operation (in bold in the example).

cat</tmp/OAuthClientApp.json << __EOF__
  "schemas": [
  "displayName": "publicClientApp",
  "isOAuthClient": true,
  "description": "public client",
  "active": true,
  "clientType": "public",
  "basedOnTemplate": {
    "value": "CustomBrowserMobileTemplateId"
  "redirectUris": [
  "logoutUri": "",
  "postLogoutRedirectUris": [""],
  "allowedScopes": [
      "fqs": ""
      "fqs": ""
      "fqs": ""
  "allowedOperations": [
    "onBehalfOfUser"   ],
  "allowedGrants": [
curl -X POST -H "Content-type: application/json" -H "Authorization: Bearer <access token value>" --data @/tmp/OAuthClientApp.json http://<IDCS-Service-Instance>/admin/v1/Apps


See Generate Access Token and Other OAuth Runtime Tokens to Access the Resource for access token request and response examples using a client assertion.