API Gateway 10.11 | Administering API Gateway | Security Configuration | OAuth, JWT, and OpenID Configuration | Mapping OAuth or OpenID Scopes
 
Mapping OAuth or OpenID Scopes
You must have the API Gateway's manage security configurations functional privilege assigned to manage scopes.
You have to map the scope that you have defined in the authorization server with the APIs in API Gateway to authorize the access tokens to be used to access the protected resources. You can map either a complete API or parts (resources or methods) of an API to the scope.
For example, if there is a scope you have defined for an external authorization server, such as readonly, then the access tokens which contain readonly as their scope, should access only the GET resources. So, you can create an API Scope for the GET resources in an API or for multiple APIs and then map this readonly scope to all those API Scopes. Now this access token can invoke only the GET resources. If it tries to invoke any POST or PUT resource it fails. As another example you can consider mapping a business scope such as, inventory, that you have defined in the authorization server; you can map all the resources required for the inventory business to this scope.
*To map a scope
1. Expand the menu options icon , in the title bar, and select OAuth/OpenID scopes.
2. Click Map scope.
3. Provide the following information in the Authorization server scope section:
Field
Description
Select authorization server scope
Specifies the scope linked to the authorization server.
Type a search word and select the required scope from the search list populated.
Name
Displays the name of the authorization server scope selected. This is populated by default and is non-editable.
Description
A brief description for the scope being mapped.
Audience
Provide a value or URI, the intended recipient of the authorization server scope.
The application that receives the token verifies that the audience value is correct and rejects any tokens intended for a different audience.
4. Click API scopes.
5. Specify an API scope that is to be linked to the authorization server.
Alternatively, you can type a search word and select the required API scope from the search list populated.
The API scopes added are listed in the Selected API scopes table. You can click the delete icon , in the corresponding column, to delete an API scope from the list.
6. Click Save.
This maps the authorization server scope to the selected API scopes and lists the authorization scope in the scopes list.