- 07 Oct 2024
-
DarkLight
-
PDF
OAuth2 Scopes Schema
- Updated on 07 Oct 2024
-
DarkLight
-
PDF
Within IAP Integration instances, support has been added for OAUTH2 and OIDC authorization requests, including OAUTH access tokens that contain the scopes
parameter. The scopes
parameter is used by the client (app or website) to signal to the authentication provider which permissions are required for the client’s session.
Sample Scopes Schema
An example integration schema with its scopes
in the authorizationCode
is presented below. The example uses the BoxDev OAuth2 provider,
The scopes
object is an enumerated list of scope_name: description
of all scopes the OAuth provider offers, from which the user may choose a subset for the access token. The user can declare this subset in the configuration of the integration instance.
{
...
"components": {
"securitySchemes": {
"OAuth2Security": {
"type": "oauth2",
"flows": {
"authorizationCode": {
"authorizationUrl": "https://account.box.com/api/oauth2/authorize",
"scopes": {
"manage_app_users": "Provision and manage app users",
"manage_data_retention": "Manage data retention polices",
"manage_enterprise_properties": "Manage enterprise properties",
"manage_groups": "Manage an enterprise's groups",
"manage_legal_hold": "Manage Legal Holds",
"manage_managed_users": "Provision and manage managed users",
"manage_webhook": "Create webhooks programmatically through the API",
"root_readonly": "Read all files and folders stored in Box",
"root_readwrite": "Read and write all files and folders stored in Box"
},
"tokenUrl": "https://api.box.com/oauth2/token"
}
}
}
}
}
}
Sample Scope Configuration
An example integration instance is shown in Figure 1. From the example configuration, scope
is set to read write
for Microsoft Online.
Figure 1: Scope Configuration